How To Protect Web/Mobile Data From Hacker Attacks?

  • By Anastasiya Zelenkova
  • 15-06-2019
  • Technology
protect web mobile data from hacker attacks
What Mobile/Web App Data is Vulnerable?
Most often, cyber attacks affect mobile and/or web data security in the following ways:
- Data security and privacy breach through injected malware resulting in password stealing;
- Confidential info theft;
- Customer data hacking for fraud and/or identity theft;
- Illegal appropriation of intellectual property;
- Unauthorized web/mobile secure server login through IP.
 
Having dealt with the main data security threats, let us move on to the types of cyber attacks.
 
Types of Attacks
SQL injection - one of the most accessible ways of hacking. According to this method, an attacker adds an arbitrary SQL code to the data (SQL injection attack). The data itself is transmitted through the GET and POST queries or cookie values. If the database is vulnerable to the SQL attack, the intruder can do whatever he/she wants with the code.
 
CSRF attack relates to cross-site hacking activities. With it, a swindler can perform various actions on an unprepared website on behalf of registered users. Those actions may include spam sending to secure webmail server from mobile or desktop devices, password changing, money transactions, etc..
 
To get a better idea about what a CSRF attack is, follow our blog to read the latest security articles first.
 
XXS attack occurs when an intruder inserts a script (often it is JavaScript) into a web app’s page and executes it in the end user’s browser. Typically, it is done by inserting a new HTML piece, a CSS or Javascript markup in the original HTML code.
 
A standard HTML code has enough space to add an executable script. Web browsers, in turn, provide many ways to do this. Any output data (including the mobile app’s data) can adopt a third-party code.
 
MITM attack – a hacker (‘man in the middle’, or just ‘MITM’) interferes in the https connection between two users or between a user and a network. The intruder can ‘monitor’ and ‘control’ the traffic from both sides. 
 
The parties think that they communicate directly, with no third-party presence.  In truth, their interaction (whether it is the communication itself, internet surfing via browser, or something else) is under the total hacker’s control.
 
By means of fishing, the hacker gets user information (passwords, credit card numbers, etc.) or money. More importantly, this technique allows stealing data from multiple users at once.
 
For example, emails from allegedly a support service are sent to all bank clients. Such letters may contain, say, the request to send a password since the account was disabled during site maintenance. Obviously, the users tend to believe these emails.
 
Dummy +DNS server - in the case of, say, automatic secure mobile/web server email settings, the system will ‘ask’ a user to which DNS server the queries should be sent to. Having physical access to the network, a hacker can intercept this DNS request and indicate his/her computer as a DNS server. After this, he/she will be able to direct a tricked victim on any route.
 
For example, the victim wants to transfer money. The hacker redirects the user to his/her computer with the forged password form. This way, the trickster will know the user’s password. However, this method is rather complicated, as it requires the hacker to respond quicker than the appropriate DNS server.
 
So, how to protect a mobile or web app from all these threats? Let us sort this out.
 
Ways to Protect Data
We will highlight the most efficient protection methods.
 
Symmetrical encryption – an easy and quite popular algorithm with one login key, or an encrypted password. Due to its simplicity, the method does not guarantee you a lesser vulnerability.
 
SSH keys – the technology is based on a pair of cryptographic keys used as an alternative to authentication via password (the method is also known as asymmetrical encryption). The login system uses both private and public access keys created prior to authentication. Only the user knows the private key, while the public one is accessible to any related SHH server.
 
VPN, or virtual private network is the way to establish a secure connection between remote systems and the current connection.
 
In essence, the method allows creating a private network visible only to local servers. The connection is absolutely secure and private. More to it, you can set up a VPN for particular applications and services so that their traffic can go through a virtual interface. Thus, you can provide access only to the client side and hide the internal part of the server’s work by VPN.
 
PKI and SSL/TLS encryption – public key infrastructure (PKI) is the SSL/TLS authentication center that controls data security certification. More specifically, it allows every user on the server to encrypt his/her traffic and authenticate other users.
 
With authentication via SSL, MITM attacks are no longer the issue! You can set up every server in a way that will require users to go through the authentication with public and private access keys.
 
SQL injection protection includes a set of preventive measures. For variable check, use the ‘is numeric(n)’ function that will return  the ‘true’ value if the ‘n’ parameter’ is a number, otherwise it is ‘false’. To detect unnecessary special symbols, like quotes, apostrophes, etc., in rows, use the ‘mysql_escape_string($str)’ and ‘mysql_real_escape_string($str)’ commands.
 
With the above methods, you can guard your data wisely, so hacker attacks will never catch you off guard (no pun intended)!
 
Our team carefully handles web and mobile database security of every client. Contact us to get a robust and protected solution.

Share It

Author

Anastasiya Zelenkova

I am both digital marketing manager and content manager in ElateSoftware Ltd., that is located in Belarus and specialized in developing native mobile apps for iOS and Android and web apps. According to interview with Middle Back-end developer Violetta G. from our workteam and searching a lot of information about data protection i decided to write this article and share with you useful article.

Recent Blogs