Securing Mobile Apps: A Guide to Threat Modeling and Mitigation

4 min readJan 26, 2024

In today’s world, accessing the entire world through mobile devices is remarkably easy. There are plenty of apps available in the market to serve our needs. Mobile apps make people’s lives easier, and they serve as the primary gateway to access any organization’s services; thus, building mobile apps has become a strategic approach. Various aspects, such as UI/UX, tech stack, infrastructure, and security, play a major role in the success of any app. In this blog, we will delve into the security aspects of mobile apps.

Allow me to share a brief story. “A famous company, XYZ, developed a mobile app with billions of downloads and millions of active users. The app gained fame for its excellent UX and service offerings, making it seem like the perfect app in the market. The company’s business and user engagement were at their peak due to its mobile app. Does the story continue in the same way? Sadly, NO. A hacker explored their mobile app, obtained sensitive information related to the company’s systems, and ultimately shared the data with their competitors. This incident resulted in significant losses and a decline in their users’ credibility. XYZ company had to face numerous consequences due to this incident.” The moral of the story is that security is a crucial aspect of any mobile app that cannot be compromised, along with other key factors.

Now, let’s delve deeper into addressing security issues during the development stage using Threat Modeling.

What is Threat Modeling?

Threat modeling is a structured process with the following objectives: identifying security requirements, pinpointing security threats and potential vulnerabilities, quantifying threat and vulnerability criticality, and preventing them during the development stage.

Threat Modeling Framework

A threat modeling exercise can be completed in four simple steps:

Assess Scope: Determine the scope of the project, whether it’s as small as a sprint or as large as an entire system.
Identify What Can Go Wrong: This can be as simple as a brainstorming session or a more structured approach using tools.
Identify Countermeasures or Manage Risk: Decide how to address each threat. This might involve implementing mitigations or applying risk management approaches such as accept/transfer/eliminate. Keep track of the risks in checkpoints and revisit them if there’s uncertainty or lack of information at the moment.
Assess Your Work: Evaluate whether you’ve done a good enough job for the specific system at hand

Mobile App Threats

We can divide threats into 2 categories in mobile apps.

Known Potential Threats: Android and iOS
App Specific Threats:The extent of threats depends on the application domain, features, and architecture of the app

Known Potential Threats: Android and iOS

*All links are attached at the end of the blog.

App Specific Threats

Log Level: Logging requests and responses is a common practice in mobile app development during debugging. However, it is crucial to either disable this logging functionality or adjust the log level to error to prevent the inclusion of any sensitive information in the logs.
Strong Authentication: Apps should not use basic authentication for fetching and pushing data to backend services. It is highly recommended to employ more secure authentication mechanisms such as OAuth, SAML, etc.
Finance and Health care Apps Require Extra Security: Leverage biometric and mPIN features to authenticate finance apps. It is highly recommended to disable the ability to take screenshots of the app and display a blank screen during app switching.
Source Control Hygiene: Always encrypt security keys or API keys in the build release pipeline. Additionally, consider adding a git hook to check for sensitive information that has not been committed to the remote source control repository.

Threat Modeling in practice.

Threat modeling is not a one-time process; instead, it should be an integral part of the Software Development Life Cycle (SDLC). To enhance security measures, implement security steps and rules within your development pipelines. For instance, tools like SonarQube and MobSF Security Framework provide rapid feedback on potential security breaches. You can proactively identify and address security vulnerabilities throughout the development process. This iterative approach ensures that security considerations are continuously evaluated and refined, contributing to a more robust and secure software environment.
Use git-hook security tools: Integrate open-source git-hook tools such as talisman, git-secrets, and trufflehog into your workflow. These tools act as safeguards, preventing the sensitive information in commits to the source control repository.
Security champions: Cultivate awareness about threats and security within the team to enhance the overall security of the development process. Designate security champions who assume additional responsibilities alongside the primary development tasks, ensuring that the team adheres to established security practices. These champions play a vital role in maintaining a robust security posture throughout the software development life cycle.

Conclusion

It is worth investing time setting up the process once and keeping it updated throughout the development. The security of mobile applications or any softwares is crucial and precious. Keeping your application secure helps to maintain the trust of end-users at all times.

Reference links: