Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Security Considerations for Mobile Application Developers

In May, Nielsen released a study that found more the number of apps per smartphone in the U.S. jumped 28 percent between 2011 and 2012. Assuming this trend does not suddenly end, mobile app developers should expect to be busy.  

In May, Nielsen released a study that found more the number of apps per smartphone in the U.S. jumped 28 percent between 2011 and 2012. Assuming this trend does not suddenly end, mobile app developers should expect to be busy.  

Mobile Application DevelopmentBut it also means mobile apps are going to continue to gain attention from attackers. In a report in August, researchers at Arxan Technologies noted that 92 percent of the Top 100 paid iOS applications and 100 percent of the Top 100 paid Google Android applications have been hacked.  

An important step in addressing this issue is to stop attackers from reverse-engineering applications. Fortunately, there are a number of steps developers can take to keep their work from being tampered with, said Kevin McNamee, director and security architect at Kindsight Security Labs. For one, they can obfuscate the Java byte code to prevent attackers from figuring out what the code does.

“This also prevents attackers from easily modifying the code to build hijacked versions or inject malware into the application,” he said. “[Android] developers can use ProGuard, which is a free obfuscator, or DexGuard, which has a license fee but is specifically designed for Android.”

In addition, developers can distribute key aspects of the application as libraries to protect algorithms and other intellectual property and encrypt important configuration information to prevent tampering, he added. 

Just as hackers analyze code for weaknesses, developers need to analyze code they are embedding into their application as they are accepting and passing through any risk in that code to end users, said Tyler Shields, senior security researcher at Veracode.

“Double and triple check your permissions,” he said. Application developers use third parties’ libraries in code to speed up the creative process. Code reuse is not only common, but one of the main tenants of being an effective and efficient developer. However, there are problems that come with code reuse, including knowing exactly what the code you are reusing does.”

In addition, Shields noted, third-party code can attempt to leverage any extraneous permissions that may have made its way into the application.

Advertisement. Scroll to continue reading.

“Moral of the story: limit your permissions to only those required for the operation of your application and check the security of any piece of third party code that you embed into your application,” he said.

Playing fast and loose with loopholes in their permission model can hurt developers in the long run, noted Domingo Guerra, president and co-founder of Appthority.

“Time and time again, we’ve seen apps that find a way to circumvent the permission model set forth by Apple or Google,” he explained to SecurityWeek. “For example, apps are required to ask a user’s permission before accessing their location if using the device GPS. However, some developers have found that if the device GPS isn’t used, an app can still track location by using third-party APIs or GeoIP tracking without asking the user for permission. This is just bad form and bad practice, if you need user data, ask for it (and let your users decide). Your reputation as a developer is important.”

But, according to Shields, one of the major mistakes developers often make isn’t even technical.

“One of the biggest mistakes mobile application developers make is thinking they’re done learning after they graduate,” he said. “Only a limited amount of time is spent educating developers on security-related subjects while in school, such as how to build security measures into their mobile applications…To counter this, I’d suggest developers participate in yearly security awareness sessions offered by top security companies or seek out additional security training at a local university.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.