Security tips for mobile app developers – Whitelisting to prevent phishing attacks
Spending much of my career in the security industry, I’m a big fan of whitelisting mobile app security features because they works well when there are a finite number of systems to communicate with. I also know how challenging it can be to stop phishing attacks. When mobile apps came onto the scene phishing came along for the ride, but luckily so did whitelisting for mobile apps. Now if you’re developing a web browser or an equally promiscuous app, this isn’t going to be your go-to solution, there are alternatives and I’ll blog about them later. For now, let’s talk about phishing and how whitelisting can help prevent it on your mobile apps. Happy reading!
What is a phishing attack?
The goal of a phishing attack is to direct a user to a fake but authentic-looking website to gather sensitive information such as login credentials and account information. Phishing attacks has been around since the mid 1990s, but around 2005 it really took off in popularity. Phishing is designed to get a user to click a malicious link that came across email, chat, social media and so on. Despite security awareness we all love to click on links as Sean Gallagher outlined in an article for Ars Technica: So much for counter-phishing training: Half of people click anything sent to them. Because most of us are “click-happy” phishing continues to work on all device types.
What is URL whitelisting?
Whitelisting provides a method to identify sites that an app can access. The goal of whitelisting is to provide a safe space for users accessing services via an app. Most simply, whitelisting includes approved sites. Security professionals generally agree that whitelisting is an important control. NIST even created Special Publication 800-167, A Guide to Application Whitelisting to help detail this topic.
The inverse of whitelisting is blacklisting which includes blocked or unsafe sites. I’m personally not a huge fan of blacklisting because it’s almost impossible to keep a current list of bad IP addresses, URLs, domains, etc., even with solutions that support security intelligence feeds via APIs for example. It’s a bit like Whac-A-Mole. On the other hand, it’s generally accepted practice so have at it.
How Does Whitelisting Prevent Phishing Attacks in iOS and Android apps?
There are a number of ways to add whitelisting to your app via the Appdome Platform. In fact, we’ve got some pretty cool ways to implement whitelists you should know about should you decide to choose whitelisting as a feature when you build. Here’s a quick intro:
How to Add a URL Whitelist to Any Mobile App on Appdome
Upload a Mobile App to Your Account
- Go to the Build tab.
- Select Security in the top toolbar.
- Expand Secure Communication.
- Click on the toggle to enable URL Whitelisting.
- Click “+ Add” and add the hostname you want to whitelist
- You can edit the App Compromise Notification (Optional)
- You can use DEV-Events to handle compromises internally in the app.
- Click Build My App.
That’s all there is to it. This prevents phishing attacks because your app will not connect to URLs that are not on the whitelist. And you can customize these options as you see fit using Appdome DEV-Events.