Back to Blogs

App Security Never Sleeps

Mobile App Development
Technology, Information and Media

Data transmitted through the complex ecosystem of apps and smart devices is a profitable target for cyber criminals — and crime as a service is proliferating on the dark web. Increased app personalization and functionality creates a steady flow of sensitive user information. Malicious intentions are varied, but their ever-evolving activities bring about the same result: damage.

Security & Solidarity with Customization & Connectivity

Staying connected with machines, systems, supply chains, and customers is what creates a strong app, but app design and development companies must offer their business partners solutions that are as secure as they are customizable. Taking cyber security into account from the very beginning is the first step in building sustainable products that better protect customer data. But there are multiple security factors and actions to consider before, during, and after releasing apps into the wild.

Build Authentication with Biometrics & Blockchain

For many users, the concept of security starts with creating credentials. Password technology can only go so far. In fact, it never seems to be able to get one step ahead of account hackers. Biometrics, at one time, was only reserved for government/military applications–only the REALLY sensitive information warranted biological identification. But the market demands more everyday adoption of these practices. Now, biometrics enable one-time passwords, two-factor identification, and external security tokens.

Blockchain authentication is also taking flight so encrypted access keys or biometric data can be distributed across an entire blockchain ledger rather than stored in a central location. Many see blockchain as a launchpad for many more third-party identity service providers. In addition, the Open Web Application Security Project (OWASP) Password Cheat Sheet and Authentication Cheat Sheet provide app builders crucial reference checkpoints for up-to-date protocols.

Encryption Tech is on the Move

Bolstering safeguards around sensitive data at the application level reduces vulnerability to cyber attack, since this renders it unreadable by the time it is stored in the cloud. Pretty basic. But, similar to password tech, app developers have continuous homework, keeping up with cryptographic protocols and the latest APIs. It’s important to recognize the speed at which previous ‘solid’ encryption solutions turn into new areas of vulnerability and risk.

Weigh the Third-Party Library Pros and Cons

Mobile app development often involves incorporating code from external libraries–these resources aren’t always secure. Using third-party software, while sometimes controversial in other ways, isn’t likely to waver as a result of increased risk. The benefits around efficiency and prioritization often outweigh the risks.

External library integration:

  • Accelerates development timelines
  • Promotes more attention to be paid to core business functions
  • Allows for devs to focus on creativity and innovation

However, it is possible to take it upon yourself to manage risk by working with well-maintained open-source libraries. These libraries inspire confidence with their active user communities and trusted reputations within development circles.

Follow the Principle of Least Privilege (PoLP)

In wide circulation for decades, this principle gives character to general clean code best practices within operating system architecture. When it comes to application security, its relevance has never been greater.

The Principle of Least Privilege states that no function should request access to any deeper layer of privilege than it absolutely requires in order to operate.

When an app launches, it should open as few privileges as possible, and user accounts should be run with the least possible access. This principle also makes apps easier to deploy and use, since any elevated privilege usually comes along with additional security provisions.

Manage Sessions Actively

When it comes to governing how the server handles user sessions, tokens are safer than device identifiers. Namely because, if the mobile device gets lost or stolen, tokens can be revoked. Integrating the remote ability to remove data from a lost device is a valuable, more fail-safe, security precaution (the same goes for remote log-off). Session IDs need to be long and random enough that brute force attacks won’t discover them.

Cryptographic hash functions such as SHA256, which cannot be decrypted back, are part of today’s best practices. Session length is also a security consideration; rather than keeping sessions open indefinitely, it’s usually safer to set a time threshold (after which a user must provide a password or other verification.) In order to keep user frustration at a minimum, however, there should be a built-in mechanism to preserve their unsaved activities.

Get Ready for CCPA (and more…)

Although the California Consumer Privacy Act (CCPA) is still in the works, it is far and away the most sweeping requirement for consumer privacy ever established. All U.S. companies will likely abide by its regulations (or face the consequences), which largely go into effect in January 2020. Other states are already drafting piggy-back legislation in order to force a more universal hand.

After January 2020, apps will need to be able to produce any collected consumer/ personal data. In addition, the option to remove this personal information has to be on the table at all times. As a result, app development companies will have to vet the data-collection strategies of any third-party partner, to ensure CCPA-compliance.

Never Fully Rely on ‘The Screener’

When a company is hiring for a new role, there is often a general phone screener that attempts to weed out obvious poor fits. But we can’t rely on screeners to choose the best culture fit or the lowest risk candidate. To some degree, the same can be said for app screening.

App-building platforms have their own in-build security screening. Passing this screening is required before an app can be listed. However, even the Apple App Store screening process, reputed to be highly rigorous, has been known to let malware slip through. Android apps are a less regulated territory, relying primarily on user reviews to broadcast their safety after the fact. In short, don’t rely on these processes to complete all of your due diligence when it comes to security measures.

Can’t Stop, Won’t Stop: Security Never Sleeps

When users download a finished app from the Apple App Store or Google Play, part of the security journey is over, but another begins. Protecting users and data compliance remains an ongoing concern after app release. Perpetual monitoring and testing for new vulnerabilities should always be standard practice. Threat modeling, emulation, and penetration testing, even for the most mature apps, is critical.

Proactive updates and patches may seem menial, but ask any company who has suffered a data breach. There’s nothing small about it.

Successful apps empower companies to build and maintain close relationships with their customers. It promises a new era of connection between human and machine, hardware and software. But businesses looking to redefine and innovate have to look beyond delightful features. Evaluating an app experience (and the builder behind it) goes beyond how well the app wins customer loyalty–it’s equally about how well it keeps them safe.

Molly Gardner

Molly Gardner worked at Mutual Mobile as the Director of Marketing.

More by this author