Handling Security risks in Mobile Apps

Security has become a very important aspect of Mobile apps which offer a level of convenience that the world has never known before. The mobile world has seen everything right from waiting up in the morning to the sleep at night. You can do most of your activities using mobile apps these days.

Since these activities contain finance operations like user’s credit card details, net banking and passwords, it has become a cautious affair.

When you use mobile apps, there are several risks involved and need to be taken care of. It is important for the user to understand them and protect ourselves and data. The risk is more for a company rather than for an individual. The risks are listed down below:

1. Improper Session Handling

Suppose you are making your bill payments and keep your mobile somewhere and go for some different work. Till the time you come back, a hacker might come in between and access your bank details which can be of big loss.

To prevent this, proper session handling should be done so that in the above use case, system detects that the user is inactive for a certain period of time and automatically logs out the user to close the session and thus, saves from intrusion.

2. Cryptography

There are numerous algorithms developed in the field of cryptography. These systems are constantly evolving and learning to stop the attacks.

Please ensure that whatever cryptography techniques are applied to your organization are stable and not broken as of yet. You can also verify the weakness in it using some tools and techniques with methods such as penetration testing, modelling etc.

3. Insecure Data Storage

Many of the users loose sensitive information because of the insecure data storage in the mobile devices. Some of them are as follows:

  • Authentication Tokens
  • Cookies
  • Passwords
  • GPS Location data
  • Device UDID/EMEI
  • Network Connection
  • Already configured Credit/Debit card data in devices
  • Application data such as cached/backup messages, logs, transaction histories etc..

4. Older Operating Systems

The security patches or fixes for mobile devices’ operating systems are not always installed on mobile devices in a timely manner. This is not the fast process for all the mobile providers. This can take weeks to months before security updates are provided to consumers’ devices.

There are also cases where the nature of the vulnerability is critical, the patching process may be complex and involve many parties in between which could be really fatal for the consumers. For example, Android developers updates to fix security vulnerabilities in the Android, but it is up to device manufacturers to produce a device-specific update incorporating the vulnerability fix, which can take time if there are proprietary modifications to the device’s software. Once a manufacturer produces an update, it is up to each carrier to test it and transmit the updates to consumers’ devices.

5. No limitation to the internet

Specifically, most of the mobile devices don’t have firewalls to limit internet connections. When user connects to WiFi, it uses port for communication to connect to internet or with other connected devices. A hacker could access the mobile device through a insecure port.

If there is a firewall for these ports, then it secures them and allows the user to choose between connections from his device. If there is no firewall, then it calls for intrusion and intruder can get sensitive information and misuse it.

6. Side Channel Data Leakage

This strategy is different from the attacks we normally see like brute force or some weakness in the cryptography algorithms. In this, a hacker finds and analyzes the security flows in the data circulation process and find loopholes in it. This is also called as side channel attack.

7. Authentication and Authorization

All the apps installed on your decide should adhere to the best practices in terms of authorization and authentication. There are some buggy apps which constantly run scripts in background and should be identified and blocked. This ensures that devices, user and systems are authorized to transfer the data.

8. Client Side Injection

The applications for mobile operating systems like Android, iOS etc.. are client side apps which reside on the user handsets. An attacker can load some text based data and this could lead to syntax failure of the interpreter.

SQL injection can on client devices could lead to severe flaw more multiple user apps. There are some other injection points which are mainly created to overflow the application data and components. These can be avoided or limited because of the managed code protections of the app languages.

This post basically tells you about the fastest way to integrate social platforms like Facebook, Twitter and Google+ in iOS.

FACEBOOK

There are two ways we can integrate Facebook with iOS.

  • Using Facebook SDK
    1. Facebook SDK is only for Facebook and can perform various tasks related to Facebook only. It is reasonably easy to integrate Facebook into any iOS app and much more powerful than the Social Framework. Another benefit is that support goes back to iOS 4.3
    2. SDK offers several features provided in FB and several of them can be integrated in iOS app. For example: you can use different dialogs to post on your friend’s wall and can run FQL queries and graph operations too. Not possible using social framework
    3. User is asked for authentication first, once the user is authorized then he can use Facebook APIs in SDK and perform operations
  • Using Social Framework in iOS
    1. The Social Framework is designed for simple, site-neutral data manipulation. Examples might include getting the user’s ‘activity feed’ or posting a new status or photo
    2. Social framework doesn’t means only FaceBook. It is larger than only Facebook, it includes Facebook, Twitter, Sina Weibo and LinkedIn also
    3. Social Framework supports iOS 6.0 onwards
    4. If your app supports iOS 6.1 and above, Social Framework is highly recommended
    5. iOS specific native dialogs are open to post anything on social platforms
    6. User can configure Facebook and Twitter app already integrated in iOS and then can direct share content from iOS app on the configured accounts

Single SLComposeViewController helps you to share multiple social platforms. The only thing that you need to do is to change the type of social account and you are through.

Note: According to Apple, 89% of the iOS devices are already on iOS 7. The percentage will be higher if iOS 6 is included. So, if the requirements for the usage of Social Platform features are minimum (like share), then Social Framework is the way to go!

TWITTER

For Twitter, the best way to integrate is to use Social Framework. In the old versions of iOS, twitter framework was present but that is replaced by social framework. If the accounts are not configured in the settings section, then you will see below screen and will ultimately take you to settings to configure Twitter or Facebook.

 

Login

GOOGLE+

As there is no integrated support for Google+ in iOS, it is mandatory to use Google+ SDK for iOS for integration.

You can start your integration journey for Google+ from here .

If you have questions on the integration of social platforms, then you can ask in the comments section. Enjoy integrating!

– See more at: http://atozgeek.com/integrating-social-platforms-in-ios/#sthash.9Peg6rai.dpuf


favicon

Hi All,

I have launched a new website today atozgeek.com which aims at providing a core technical articles for the Computer Science Engineers.

Please have a look at it and provide your comments/suggestions for the improvement in the initial stage.

– Hrushikesh

 

This post is on the topic ‘Robotium – Testing Framework for Android’. I had worked on Robotium framework sometime back so just wanted to share the information related to the same with you all.

What is Robotium?

Robotium is a test framework created to make it easy to write powerful and robust black-box test cases for Android applications.

 

  • With the support of Robotium, test case developers can write function, system and acceptance test scenarios, spanning multiple Android activities
  • Robotium has full support for Activities, Dialogs, Toasts, Menus and Context Menus
  • Robotium is a Free tool, can be used by individuals and Enterprises
  • Robotium is a “Black Box” testing tool that is able to simulate and automate user interaction such as touching, clicking, text entry and any other gesture that is possible on a touch supported device
  • The tests could either be executed on the Android simulator (AVD – Android Virtual Device) or on a real device
  • Robotium is built on the Java programming language and the JUnit 3 test framework
  • Robotium can be used both for testing applications where the source code is available and applications where only the apk is available

 

Since the Robotium test tool is open source, no cost is associated with this.

Benefits of Using Robotium:

 

  • Easy to write, shorter code. Minimal time needed to write solid test cases
  • You can develop powerful test cases, with minimal knowledge of the application under test
  • The framework handles multiple Android activities automatically. Readability of test cases is greatly improved, compared to standard instrumentation tests
  • Automatic timing and delays
  • Automatically follows current Activity
  • Automatically finds Views
  • Automatically makes own decisions (ex: When to scroll etc.)
  • No modification to Android platform
  • Test execution is fast
  • Test cases are more robust due to the run-time binding to GUI components
  • Integrates smoothly with Maven or Ant
  • With the newly released Robotium 4.0, it has full support for hybrid applications. Hybrid applications are applications that use WebViews to present the HTML and JavaScript files in full-screen, using the native browser rendering engine

 

Robotium Features:

 

  • Screenshots can be captured inside Robotium
  • Robotium can be run without source code
  • It’s possible to generate code coverage reports for your Robotium tests
  • Robotium is able to detect the contents of a Toast on the screen
  • Localised strings can be used (Needs source code)
  • Robotium test can be run from the command line
  • Robotium offers many methods that react to different graphical elements within an Android app, such as

 

clickOnText(“Secure Login”);

 

clickOnButton(“Save”);

 

searchText(“Logout”);

 

goBack();

 

getButton();

 

isRadioButtonChecked();

 

  • With these simple methods, robust automated tests can be implemented really quickly. By combining them with JUnit, you then have additional ways of checking values or user interactions on the device for the correct response, which in turn makes these tests even more powerful

 

Limitations:

 

  • Cross Activities testing, Robotium is able to work only with same certificate app, otherwise you will get inject events exception (e.g. you are not able to do clicks on screen keyboard)
  • Robotium has no mechanism to handle expected/unexpected alerts/popus/dialogues. For example, iOS Javascript tests has very simple boolean flag and callback for handling alerts
  • Robotium has big problem with auto scrolling methods. For example, if you are looking for the text, which is not shown, Robotium will stack in the end of the scroll view and make assertTrue(false) to stop scrolling
  • Robotium has assertTrue(false) logic for reporting problems/unexpected situations instead of returning some Enum value or boolean (success/fail) so for a good stress tests which are run 24/7, you need to add your own methods which will not stop test, just handle ‘method fail to click x y’ result value
  • The scope of test cases in Robotium is limited to a single application and does not support for more than one application. Test project is always locked with a target package, which need to be tested and going outside of the package is not allowed
  • Android native API’s (Contacts, Widgets etc.) used in the Android application cannot be tested using Robotium. While executing test, if focus is switched to Native application, it will not come back to the Test application and Test will fail
  • Robotium is not able to handle the flash or web components. It only works with android components. You could send in clicks by using clickOnScreen() or assert that a certain Activity is shown but that is all. You will not be able to write tests where you verify or work with the web or flash components
  • Test Execution is very slow
  • Test cases are complex to implement
  • Not able to handle multiple activities
  • Robotium does not support flash and web based applications.
  • Robotium does not work on Canvas.

 

Future Enhancements:

 

  • Robotium Remote Control similar to Selenium RC
  • Integration with BDD tools such as cucumber
  • Automatic measurement of user interface test coverage
  • Generate screenshots on failure
  • Multiple device support

 

To get started with implementation, you can refer this link.

Talking off the topic, It’s great to be back on the blog after a long long time. I will make sure you get the latest updates on time 🙂

@MsWizKid signing off!

Enjoy 🙂

Hi all,

I wish to write this post in my mother tongue i.e. ‘Marathi’ ! If you don’t get the meaning, you are free to ask anything in comments! 🙂

नमस्कार,

मित्रांनो, नव्हे ते आज असा वेळ मिळाला आहे कि मनातल्या सगळ्या भावनांची उला ढाल करून टाकतो!
गणेश चतुर्थी हा दिवस खूप अप्रतिम आणि निराळा आहे. त्यातील  प्रेमाचा आणी दैविक क्षणांचा मिलाप काही औरच आहे! या दिवशी बाप्पांचा गृहप्रवेश होतो! बाप्पा आले कि सगळी घरातील मंडळी एकत्र येऊन त्यांची पूजा करतात. त्यांच्या गृहप्रवेशाने एकदम प्रसन्न वाटतं!
आज माझी कंपनी म्हणजे ‘Persistent Systems’ इथे, गणेश चतुर्थी ची पूजा होती. श्री गणेशाची पूजा ‘Persistent Systems चे ‘Chief People Officer’ समीर बेंद्रे यांच्या हस्ते झाली. पूजेला खूप जण उपस्थित होते. सर्व मित्र मंडळींनी पारंपारिक कपडे घातले होते. अर्थात, वातावरण एकदम सुंदर आणी प्रफुल्लीत होते. खालील चित्र म्हणजे कंपनी तील गणेशाची मूर्ती होय.
खालील चित्र माझ्या मित्रां बरोबर चे आहेत.
संणांचे दिवस सुरु झाले आहेत. जणू काही मिठाई (प्रसाद) खायचेच दिवस आहेत की! श्री गणेश आपले सर्व दुख , चिंता आणी विघ्न दूर करावे हीच ईश्वर चरणी प्रार्थना असावी..!
गणपती बाप्पा मोरया, मंगल मूर्ती मोरया! 🙂
धन्यवाद  🙂

My love,

A one woman army of my heart,

Your wishful words that can never be forgettable,

You are my way just like a god’s grace,

You are journey which will never end,

You and Me together make everything seem right,

Mornings making that sweet wish for the day,

Good nights to make a promise for a great dream,

Dreams seemed so incomplete without your touch,

You are the one who heals all my injuries,

Meeting you always make me fresh,

Your touch boosts the confidence in me,

The best time in life is the time spent with you,

Your voice is as sweet as a dessert,

Your presence awaits a positive approach in my life,

Tears inside your eyes are so unbearable,

Cute fights with you are so cherishable,

Sometimes being silent speaks out thousand feelings,

Sometimes gaps between the relation always felt broken,

But it’s the love that conquers and that has won million hearts!

Dedicated to all people who are in love and can’t live without that someone and enjoying their life to the fullest! God bless.

Enjoy 🙂

Hello people,

It feels great to be back on blog and write a blog post again. This time it is about ‘Master Studies’. Oh yes, I am doing Masters of Science in Software Engineering from Birla Institute of Technology and Science (BITS), Pilani. 🙂

This is a work integrated program for Persistent Employees and those who clear the Entrance exam for BITS, gets the admission for MS.

The specialty about this program is that you can complete your Masters right with your work. The classes are held are on weekends at Persistent Campus only and exams are also conducted from here.

The good thing is that the degree is a Full Time degree. 🙂

When I completed my engineering, I was having a good score for my GRE exam and could have gone for higher studies to US universities but due to some situations and problems, I couldn’t go. But there you go, I found this option for MS in BITS Pilani and cleared entrance by god’s grace.

Almost 45 students of Persistent from India are attending this program and the courses are awesome. Only 8 people are from Nagpur which are shown in the above collage pic. The course duration is two years.

So, I will keep on updating the events and activities for Masters on blog. So stay tuned 🙂

@MsWizKid signing off!

Enjoy 🙂