It is undeniable how dependent individuals, businesses, or any organized group for that matter, have become on mobile devices. Quite often the use of these devices includes the storage of sensitive data such as: passwords, credit card numbers, account records, or any other type of information that should be known only to the owner and the people they trust.
Encryption techniques are often used in order to store such information. Such a method can be easy and secure to a point, but there are also a lot of ways that developers can make mistakes. They may be deceived by how easy it is and feel too confident in the protection that the encryption provides, therefore not being as careful as they should when securing the entire application or site. In order to efficiently protect data, it will help to understand:
- The mistakes that developers often make
- The risk that is run by having insecure data storage
- How to determine if your data is vulnerable
- How to protect yourself
A few examples of the errors that are commonly made when securing data storage include:
- Simply not encrypting critical data
- Insecurely storing keys, certificates, and passwords
- Weak choices of algorithm
- The attempt to create one’s own encryption algorithm
- Not including the proper support for encryption key changes and other necessary maintenance precautions
The Risk You Run
If a hacker attempts to tap into your sensitive data, they will undoubtedly discover any weakness in the encryption immediately. They will then be able to attain the mobile device by directly connecting it to a computer with freely available software. This way they are able to view all third party application directories where personal information is often stored. They can then easily steal this information through the use of malware or by modifying a legitimate application. Once the theft occurs, a business is susceptible to:
- Identity theft
- Reputation damage
- External policy violation
- Material loss
Are You Vulnerable?
In order to find weaknesses in an encryption, it is very helpful if you have the source code. Figuring out if you have any cryptographic flaws without access to the source code will be very challenging and time consuming. One would have to examine tokens, session IDs, cookies, etc. in order to examine the code thoroughly. You will need someone with a strong background in cryptography and the flaws that tend to occur in encryptions in order to carry out the examination properly.
Protect Yourself and Prevent Insecure Data Storage
The best and most basic rule for preventing insecure data storage with mobile apps is to not store the data unless it is absolutely necessary. Developers need to acknowledge that they are making this data vulnerable the second they put it onto a mobile device, even if it is encrypted. If the sensitive data must indeed be stored, some general rules of thumb are:
- Do not store credentials on the phone file system. Make it so the user must identify themselves with a standard login each time the application is opened and that the appropriate session timeouts are put into place.
- Be particular about the cryptography that is being implemented and use solutions that avoid the leakage of binary signature that are often used in encryption libraries.
- Avoid using hardcoded encryption or decryption keys.
- Add another layer of encryption beyond the default encryption methods provided by the operating system.
Mobile devices should always be considered an unsafe place for the storage of sensitive data. If the data must be stored there, be sure that it is encrypted and that you have a security system in place that you know you can depend on. Evaluate the level of guarantee provided by your security system carefully, as your customer’s data and business’s reputation will be put at great risk. Most importantly, be thorough. After all, these decisions are exactly what will determine just how safe your company and your clients really are.