The top 3 risky behaviors that threaten Android app security

Apperian, Cigital, F-Secure Labs say devs must evolve as Android security risks increase
Tools

iStockPhoto progress development

Malware, Trojans, fragmentation: Many cybersecurity dangers threaten Android application developers. And as new risks develop, Android developers must understand how to identify and eliminate such issues. 

How an Android developer approaches cybersecurity remains crucial for both the developer and his or her target audience. 

Ideally, Android developers should prioritize cybersecurity during every stage of the design process. But in some cases, developers may be tempted to take shortcuts that could leave their apps susceptible to myriad cyber threats. 

Here are three top risky behaviors that can threaten app security:

Reliance on third-party software

Dan Lyon, principal consultant at software security firm Cigital, tells FierceDeveloper that an app developer's dependency on third-party software often can be problematic. 

Third-party software may cause fragmentation, i.e. when older versions of an app are running on an operating system, Lyon says. And as a result, an end user might fail to receive essential security updates, putting his or her device and personal data, along with an app developer's reputation, at risk.

Fortunately, an Android developer who incorporates security into the app development process can reduce the risk of fragmentation both now and in the future, according to Lyon.

"When done correctly and comprehensively, security is a design input into the development process the same as other design inputs like usability or performance," Lyon notes. "In order for development to address the need, whether it be security or usability, there needs to be some level of expertise present in all development activities."

Failing to stay current on malware trends

Hewlett Packard Enterprise's Cyber Risk Report 2016 of data security issues revealed Android was the second-most targeted operating system in 2015, behind only Microsoft (NASDAQ: MSFT) Windows. In addition, nearly 4.5 million Android malware samples were discovered last year, the report indicated. 

Malware remains an ongoing cyber threat that impacts Android, Windows and other operating systems consistently. But an app developer who stays up to date on malware trends can minimize the risk of cybersecurity issues.

"App developers on modern mobile platforms operate in a tightly sandboxed environment. This makes it harder to accidentally harm security, but you must keep yourself up to date with how the platform is evolving," says Mikael Albrecht, security specialist at antivirus vendor F-Secure Labs.

Backend security, Albrecht notes, is essential for Android developers and typically is more critical than the app itself.

He points out a "security mindset" in which an Android developer incorporates security into the entire planning, development and maintenance process is paramount. Also, testing remains key, as this ensures a developer can identify security problems and resolve them before end users can be affected.

"Security is quality. Vulnerabilities are basically quality problems. Do proper testing with security vulnerabilities in mind," he recommends.

Ignoring the Internet of (unsecure) Things

Chris Hazelton, director of product marketing & strategy at mobile app management platform provider Apperian, says today's app developers must focus on security and management "at the app layer, where IT has visibility into app behaviors before installation, how its deployed to users and who is using the application."

Chris Hazelton, Apperian

Hazelton

He noted mobile is becoming an increasing component of enterprises' daily compute, leading to exceedingly complex mobile apps. As such, Hazelton points out Android developers must understand the dangers associated with weak code or malicious libraries that contain Trojans. 

Furthermore, he says Android developers must be prepared for new, evolving cyber threats associated with the Internet of Things (IoT).

"Security is not a priority in the IoT market," Hazelton notes. "Business models are still being developed and security has taken a back seat to functionality as product teams are racing to current and developing market segments. ... A key need for IT when it comes to IoT will be the need to verify the 'thing' and that it truly is the right sensor or device that is providing data back to the enterprise. Again, app level security will provide authentication and encryption for data and services running on a wide variety of devices."  

Security of IoT devices and variety of data are two of the top concerns for IoT developers.

The Evans Data Corporation's "Internet of Things Development Study 2015, Volume II," released in November, revealed nearly 19 percent of app developers cited security as their top concern. 

But with the ability to balance both security and user needs, Android developers may be able to deploy apps that users can leverage without delay or interference. 

"Understanding the limitations of IoT devices and how people use them is one key aspect to developing solutions that are secure out of the box," Lyon says. "In some scenarios, the mobile app that interacts with IoT devices is now like a little server with lots of IoT clients connecting to it. When this happens, the app developer needs to ensure that things like authentication and authorization have been addressed appropriately through pairing mechanisms that are not only secure but also usable. Addressing the security challenge alongside the usability challenge is required to balance the two tensions."