EC-Council

BEST PRACTICES FOR SECURING

MOBILE APPLICATIONS
Securing mobile apps requires managing
security threats from the user, mobile developer,
and back-end server or infrastructure. Below, we
outline best practices for securing mobile
applications.
 EC-Council
FOR MOBILE APP USERS

Download mobile apps from trusted sources

only, such as Google Play, the Apple App Store, or
another enterprise’s official app store.

Keep mobile apps and the underlying

operating system up to date to defend against
the latest threats.

Do not root your Android device. While many

Android users root their mobile devices to install
a custom ROM, this practice is dangerous, as it
makes operating system files vulnerable to
cyberattackers and malware manipulation. The
same applies to jailbreaking Apple devices.
 EC-Council
FOR MOBILE DEVELOPERS

Ensure secure mobile app local storage. Store

data in an encrypted cache and ensure that all
data processed or stored locally on the mobile
device is adequately secured or encrypted.
Hackers can easily steal data stored in cache if it
is unencrypted. If a user device gets infected with
malware, the attacker may be able to access
unencrypted locally stored data.

Enforce multifactor authentication and require

strong and complex passwords to reduce the risk
of unauthorized access.

Ensure that all user inputs are filtered to

prevent common attacks such as SQL
injections.

Do not use unsecure third-party libraries when

developing the mobile app.

Encrypt sensitive data in transit, especially

between client and server.
 EC-Council
FOR MOBILE DEVELOPERS

Make sure to implement cryptographic functions

correctly. Incorrect implementation of mobile
app cryptographic functions will make apps
vulnerable to cyberattacks.

If your mobile app supports mobile API

authentication and authorization, ensure that
the API functionality is implemented correctly.

Obfuscate all mobile app code to prevent

threat actors from reverse-engineering it.
Attackers utilize this method to understand how
an app works to find a way to break it.

Apply the principle of least privilege with your

mobile app. Allow the application to access only
the required resources needed to function. For
example, if the app does not need to access the
device’s photo gallery, then do not require such
access when the user installs the app.
 EC-Council
FOR ENTERPRISES

Conduct regular penetration testing. This helps

identify vulnerabilities or loopholes, which in turn
can prevent cyberattacks.

Develop a bring-your-own-device (BYOD)

security policy to govern employees’ usage of
mobile devices at work. For example, some
guidelines might include:

Require all employees to use a VPN when using

mobile apps to connect to the enterprise network.

Store mobile app passwords in a central

password management system to ensure that all
employees adhere to password security policies.

Install a robust antivirus solution on all

employees’ mobile devices and keep it current.

www.eccouncil.org