Security tips for mobile application developers – Whitelisting Mobile App Security
Spending much of my career in the security industry, I’m a big fan of whitelisting mobile app security features because they works well when there are a finite number of systems to communicate with. I also know how challenging it can be to stop phishing attacks. When mobile apps came onto the scene phishing came along for the ride, but luckily so did whitelisting for mobile apps. Now if you’re developing a web browser or an equally promiscuous app, this isn’t going to be your go-to solution, there are alternatives and I’ll blog about them later. For now, let’s talk about phishing and how whitelisting can help prevent it on your mobile apps. Happy reading!
What is phishing
The goal of phishing is to direct a user to a fake but authentic-looking website to gather sensitive information such as login credentials and account information. Phishing has been around since the mid 1990s, but around 2005 it really took off in popularity. Phishing is designed to get a user to click a malicious link that came across email, chat, social media and so on. Despite security awareness we all love to click on links as Sean Gallagher outlined in an article for Ars Technica: So much for counter-phishing training: Half of people click anything sent to them. Because most of us are “click happy” phishing continues to work on all device types.
What is whitelisting
Whitelisting provides a method to identify sites that an app can access. The goal of whitelisting is to provide a safe space for users accessing services via an app. Most simply, whitelisting includes approved sites. Security professionals generally agree that whitelisting is an important control. NIST even created Special Publication 800-167, A Guide to Application Whitelisting to help detail this topic.
The inverse of whitelisting is blacklisting which includes blocked or unsafe sites. I’m personally not a huge fan of blacklisting because it’s almost impossible to keep a current list of bad IP addresses, URLs, domains, etc., even with solutions that support security intelligence feeds via APIs for example. It’s a bit like Whac-A-Mole. On the other hand, it’s generally accepted practice so have at it.
How Does Appdome Use Whitelisting Mobile App Security?
There are a number of ways to add whitelisting to your app via the Appdome Platform. In fact, we’ve got some pretty cool ways to implement whitelists you should know about should you decide to choose whitelisting as a feature when you fuse.
Automatic Population of Whitelists
When you are selecting the security features on Appdome, you simply populate a list of URLs, domains, IPs and proxies that your application has been configured to communicate with. This list can be added to the app as a whitelist.
Generating Whitelists Through Learning Mode
A really neat feature available on Appdome is automatically identifying sites to whitelist during the fusion process. It’s called “learning mode” and can be enabled in your dev environment. This will create a list of approved sites based on app usage. That list can be reviewed and trimmed based on your decisions. It can then be imported when your app is re-fused.
You can always manually enter the whitelisted sites during the fusion process. This is particularly common if you want your app to be limited to just a handful of known sites. The number of sites that an app natively communicates with is often surprising to developers during the fusion process. This is especially true for apps developed by large teams or in concert with outsourced support.
Thanks for reading! This blog is part of a series focused on security tips for mobile application developers. While it’s not intended to be an exhaustive analysis of security issues or Fusion, it’s my intent to use this blog series as a platform to help mobile application developers become more security-aware. I hope you found the Whitelisting Mobile App Security information useful. Happy fusing!