Cryptography and data security go hand in hand. Cryptography is one of the oldest and best understood ways to transmit sensitive information securely. Unfortunately, software data encryption is not so completely understood by every mobile application developer out there. Some developers are using forms of data encryption that just don't cut the mustard.
"It amazes me when we find mobile applications that perform no encryption, or use simple encoding methods to attempt to protect sensitive information," Tony DeLaGrange said. Jack Mannino adds that many mobile application developers use methods such as base 64 encoding or simple obfuscation, which he stresses are not proper forms of secure data encryption.
Mannino also pointed out that implementing encryption and decryption on the device, especially with a hardcoded key in the source code, leaves cryptography and data security vulnerable to hackers that reverse-engineer the application. Mannino suggested splitting the key between the client and the server for an added layer of protection. "Locking the door doesn't do any good if the key is under the doormat where anyone can find it," DeLaGrange said.
Mobile application testers should look out for information protection methods that fall outside of industry standard encryption algorithms, DeLaGrange said. It's important to identify how the encryption key is generated, stored and protected. Mannino pointed out that the challenge with mobile cryptography, as opposed to traditional Web cryptography, is proper key storage and rotation.