In 2017 the mobile app is still king. The applications we download on our mobile devices are entertaining us, keeping us in touch with our loved ones and making our working lives better. With thousands of new applications still being added to the marketplace every single day it’s an exciting time to be a part of the app economy. However, there’s a major point of concern that many app developers are still choosing to ignore: mobile app security.
Organisations developing apps, whether just for enterprise use or for a wider consumer base, still have still lot of catching up to do to bring the level of security integrated within apps up to the high-calibre features available on the market today. On the app development journey there are several considerations for app security, which need to be applied to varying degrees, dependent upon the purpose of the app.
Here are some of the key issues that developers need to consider:
The development process is often one of the most overlooked factors in app security. To negate the potential risks at this early stage developers can help by introducing code reviews to inspect for illicit code. This will ensure any mistakes or coding problems are not overlooked issues in the initial development phase. Staff vetting is also an important issue to factor in with effective vetting ensuring protection of employees, customer and corporate interest. Also with identity fraud and reputation damage a major factor, rigorous vetting helps prevent against these issues. The implementation of high quality testing processes can help to ensure apps cannot be “tricked” into inappropriate behaviour once it goes live.
Data management is an important issue and it is important to ensure the handling of this is done in an effective manner. Key issues within data management include necessary information, storage, transmission and data loss management. Making sure the app has the necessary data, helps to ensure redundant and useless data is deleted – i.e. is the whole address used where just the postcode would do? Encrypted and inaccessible data needs to be stored safely, away from other apps to ensure there is no cross contamination of data.
Apps rarely operate in isolation and are vulnerable to attack through the communications channel. Ensuring all communication channels are encrypted and using digital signatures will help against vulnerability. Verification of correct servers will also help to ensure the communications are coming from the correct server as well as validating all received data both in terms of structure and content.
There have been instances where apps have been deployed by attackers into virtual environments in which supporting system libraries have been sabotaged or weakened. To combat this, developers must ensure the libraries are encrypted and not susceptible to hacking.
Overall it is always best to assume apps to be vulnerable. System APIs are responsible for providing a secure barrier for data. A best-case scenario would mean sensitive data would always be held for a minimum amount of time within the app and then discarded when no longer required. At Pocket App, we believe operative data management is key. Proactive planning as well as regular maintenance ensures apps are safe and avoids those nasty data breaches.