如何保护移动应用程序安全–移动应用程序安全检查表

Security has always been a major concern for businesses. And this concern is even greater when it comes to mobile apps.

安全一直是企业关注的主要问题。对于移动应用程序，这种担忧甚至更大。

Today every business has a mobile app to connect more easily with their customers. And if that business does not take proper security protections it can put their brand at risk.

如今，每个企业都有一个移动应用程序，可以更轻松地与客户联系。而且，如果该企业未采取适当的安全保护措施，可能会使其品牌面临风险。

Mobile devices span multiple operating systems and, given the distributed nature of components, mobile app security often experiences problems.

移动设备跨越多个操作系统，并且鉴于组件的分布式性质，移动应用程序安全性经常遇到问题。

I hope your business is properly secured and you are just looking for a mobile app security checklist for the future. If that's the case, good for you – being a business owner means you must take care of mobile app security.

我希望您的业务得到适当的保护，并且您只是在寻找未来的移动应用安全清单。如果是这样，对您有好处–成为企业主意味着您必须注意移动应用程序的安全性。

But according to a survey, more than 75% of mobile applications will fail basic security tests.

但是根据一项调查，超过75％的移动应用程序将无法通过基本安全测试。

Many employees download apps from app stores and use mobile applications that can access enterprise assets or perform business functions. And unfortunately, these applications have little or no security assurances. They are exposed to attacks and violations of enterprise security policies all the time.

许多员工从应用程序商店下载应用程序，并使用可以访问企业资产或执行业务功能的移动应用程序。不幸的是，这些应用程序几乎没有安全保证。他们始终面临攻击和违反企业安全策略的威胁。

I know that nobody wants to be a part of this failure. That is why you need to follow a proper mobile app security checklist.

我知道没有人愿意成为这次失败的一部分。这就是为什么您需要遵循适当的移动应用程序安全检查表的原因。

实施强身份验证 (Enforce Strong Authentication)

To prevent unauthorised access and password guessing attacks, you should implement multi-factor authentication. The three main factors for authentication are

为了防止未经授权的访问和密码猜测攻击，您应该实施多因素身份验证。身份验证的三个主要因素是

something that a user knows, such as a password or PIN用户知道的内容，例如密码或PIN
something the user has, such as a mobile device用户拥有的东西，例如移动设备
or something the user is, such as a fingerprint.或用户所使用的东西(例如指纹)。

Combining password-based authentication with a client certificate, device ID, or one-time password significantly reduces the risk of unauthorised access. You can also implement time-of-day and location-based restrictions to prevent fraud.

将基于密码的身份验证与客户端证书，设备ID或一次性密码结合使用，可以大大降低未经授权访问的风险。您还可以实施时间限制和基于位置的限制，以防止欺诈。

加密移动通信 (Encrypt Mobile Communications)

With threats like snooping and man-in-the-middle attacks over WiFi and cellular networks, IT should make sure that all communications between mobile apps and app servers are encrypted.

面对通过WiFi和蜂窝网络进行的侦听和中间人攻击等威胁，IT应确保对移动应用程序和应用程序服务器之间的所有通信进行加密。

Strong encryption that leverages 4096-bit SSL keys and session-based key exchanges can prevent even the most determined hackers from decrypting communications.

利用4096位SSL密钥和基于会话的密钥交换的强大加密功能甚至可以阻止最坚定的黑客解密通信。

Besides encrypting traffic, IT should confirm that data at rest—the sensitive data stored on users' phones—is also encrypted. For ultra-sensitive data, IT might want to prevent data from ever being downloaded to the end user device at all.

除了加密流量，IT还应确认静止数据(存储在用户电话中的敏感数据)也已加密。对于超敏感数据，IT部门可能完全希望阻止将数据下载到最终用户设备。

修补程序应用程序和操作系统漏洞 (Patch App and Operating System Vulnerabilities)

Recent Android and iOS vulnerabilities such as Stagefright and XcodeGhost have exposed mobile users to attack.

最近的Android和iOS漏洞(例如Stagefright和XcodeGhost)使移动用户容易受到攻击。

In addition to mobile OS flaws, IT must contend with a never-ending succession of app updates and fixes.

除了移动操作系统的缺陷外，IT还必须应对无休止的一系列应用程序更新和修复。

To protect mobile users from attack, IT should check mobile devices and ensure that the latest patches and updates have been applied.

为了保护移动用户免受攻击，IT应检查移动设备并确保已应用最新的补丁程序和更新。

防止设备失窃 (Protect Against Device Theft)

Every year, millions of mobile devices are lost or stolen. To ensure sensitive data does not end up in the wrong hands, IT should provide a way to remotely wipe sensitive data Or—better yet—make sure data is never stored on mobile devices in the first place.

每年，数百万的移动设备丢失或被盗。为确保敏感数据不会落入不正确的人手中，IT部门应提供一种远程擦除敏感数据的方法，或者(最好)确保数据永远不会存储在移动设备上。

For employee-owned devices, IT should lock or wipe corporate information while leaving personal apps and files intact. When the device is found or replaced, IT should be able to quickly restore users’ apps and data.

对于员工拥有的设备，IT应锁定或清除公司信息，同时保持个人应用程序和文件的完整性。找到或更换设备后，IT部门应能够快速恢复用户的应用程序和数据。

扫描移动应用中的恶意软件 (Scan Mobile Apps for Malware)

Eliminate malware and adware by testing apps for malicious behaviour. Malware can be detected using virtual sandboxing or signature-based scanning tools. For mobile workspace or virtual mobile solutions, perform malware scans on the server.

通过测试应用程序的恶意行为来消除恶意软件和广告软件。可以使用虚拟沙箱或基于签名的扫描工具来检测恶意软件。对于移动工作区或虚拟移动解决方案，请在服务器上执行恶意软件扫描。

保护设备上的应用数据 (Protect app data on your device)

Make sure developers are not storing any sensitive data on their devices. If you must store data on device for some reason, first make sure it's encrypted/protected. And then only store it in files, data stores, and databases.

确保开发人员未在其设备上存储任何敏感数据。如果由于某种原因必须将数据存储在设备上，请首先确保其已加密/受保护。然后仅将其存储在文件，数据存储和数据库中。

If you use the latest encryption technologies, you can get a higher level of security.

如果您使用最新的加密技术，则可以获得更高级别的安全性。

保护平台 (Secure the Platform)

Your platform should be properly secured and controlled. This process consists of detecting jailbroken phones and preventing access to other services when needed.

您的平台应得到适当的保护和控制。此过程包括检测越狱的电话并在需要时阻止访问其他服务。

防止数据泄漏 (Prevent Data Leaks)

To avoid data leaks while still allowing users to install personal apps on their mobile devices, IT must separate business apps from personal apps.

为了避免数据泄漏，同时仍允许用户在其移动设备上安装个人应用程序，IT必须将业务应用程序与个人应用程序分开。

Creating secure mobile workspaces helps prevent malware from accessing corporate apps and stops users from copying, saving, or distributing sensitive data.

创建安全的移动工作区有助于防止恶意软件访问公司应用程序，并阻止用户复制，保存或分发敏感数据。

为了防止机密数据泄漏，机密数据： (For ironclad data leak prevention of confidential data:)

Control clipboard access to prevent copy and paste functions控制剪贴板访问以防止复制和粘贴功能
Block screen captures阻止屏幕截图
Prevent users from downloading confidential files to their phone or saving files on file sharing sites or connected devices or drives.防止用户将机密文件下载到手机或将文件保存在文件共享站点或连接的设备或驱动器上。
Watermark sensitive files with users’ usernames and timestamps使用用户名和时间戳为敏感文件加水印

优化数据缓存‌‌ (Optimise Data Caching‌‌)

Did you know that mobile devices usually store cached data in order to enhance an app's performance? This is a major cause of security issues because those apps and devices become more vulnerable and it is relatively easy for attackers to breach and decrypt the cached data. This often results stolen user data.

您是否知道移动设备通常存储高速缓存的数据以提高应用程序的性能？这是造成安全问题的主要原因，因为这些应用程序和设备变得更加脆弱，攻击者相对容易破坏和解密缓存的数据。这通常会导致用户数据被盗。

You can require a password to access the application in case the nature of your data is extremely sensitive. This will help reduce vulnerabilities associated with cached data. ‌‌

如果您的数据性质极为敏感，则可能需要密码才能访问该应用程序。这将有助于减少与缓存的数据相关的漏洞。 ‌‌

After that, set up an automatic process that wipes cached data whenever the device gets restarted. This helps reduce the cache and mitigate security concerns.

之后，设置一个自动过程，以便在设备重新启动时擦除缓存的数据。这有助于减少缓存并减轻安全隐患。

隔离应用程序信息‌‌ (Isolate Application Information‌‌)

You need to separate all information accessed through a mobile device from a user’s data. And this process of isolating information requires a few levels of protection around enterprise-deployed apps. This way corporate data will be separated from the employee’s private data as well as the consumer-facing application. ‌‌

您需要将通过移动设备访问的所有信息与用户数据分开。而且，这种隔离信息的过程需要对企业部署的应用程序进行一些级别的保护。这样，公司数据将与员工的私人数据以及面向消费者的应用程序分离。 ‌‌

This process of isolating data should increase your customers' satisfaction and productivity, all while making sure they're compliant with your security rules.

隔离数据的这一过程应提高客户的满意度和生产率，同时确保它们符合您的安全规则。

Using a container-based model can help you out in this case. Security is often more strict and won't compromise at any level of transmission. This ultimately helps eliminate the risk of corporate data loss. ‌‌‌‌‌‌‌‌

在这种情况下，使用基于容器的模型可以帮助您。安全性通常更加严格，不会在任何传输级别上受到损害。这最终有助于消除企业数据丢失的风险。 ‌‌‌‌‌‌‌‌

最后的话‌‌ (Final words‌‌)

Before setting up your business – or even if you are already running one – try to implement this mobile app security checklists. It'll help you protect your business from any fraud or loss. ‌‌

在设置您的业务之前-甚至即使您已经在运营它-尝试实施此移动应用程序安全清单。它可以帮助您保护企业免受欺诈或损失。 ‌‌

I know that security is a major concern and can't simply be resolved by going through a few steps. If you need some help, contact any mobile app development company which can guide you through the process.

我知道安全是一个主要问题，不能简单地通过几个步骤来解决。如果您需要帮助，请与任何移动应用程序开发公司联系，该公司可以指导您完成整个过程。

翻译自: https://www.freecodecamp.org/news/how-to-secure-mobile-apps/