Am I at Risk of a Data Breach? Six Common Questions for Enterprise App Owners

 

According to a July IBM Security report, data breaches cost the affected companies an average of $3.86 million. And they’re becoming an increasingly commonplace event.

Dixons Carphone, Ticketmaster and Costa Coffee parent company Whitbread are among the brands who have recently grabbed headlines after falling victim to breaches. Social media app Timehop reported the personal data of 21 million users stolen in a 4 July breach.

As an app owner, you’re likely to have questions about what happens if you become the target of a data breach. We here at Pocket App believe the security of apps is paramount, so here are six of the biggest questions on the topic.

If my app is the target of a breach, what can be accessed?

The answer to this question depends on exactly what was breached. If it was the server, then it’s fairly straightforward – whatever data is held on there.

If we’re talking about the application side, however, it varies. Assuming it was hacked by gaining access to account credentials for one of the permitted users of your application, then they will have access to anything that app does. That includes any encrypted app data for that app alone, and any special permissions.

Permissions can allow access to the device’s photos, GPS data and – most importantly – contact information from the address book. It’s always best practice to consider which permissions your app really needs, and keep them to a minimum.

If another app on a user’s phone is breached, can it affect mine?

Assuming your application data is encrypted then no, it should only be readable by the app itself. The only exception would be things like custom keyboards or keyloggers, which could potentially collect a users’ log-in details – but this is less likely, as it requires very particular permissions.

I have an app with a smaller userbase, or that isn’t on the App Store – am I safe from breaches?

It’s certainly safer, and minimising the visibility your application has to people who aren’t potential users of your app is just good practice. Don’t put an internal application on the App Store.

However, it doesn’t necessarily mean you’re not vulnerable, just less of an obvious target, and precautions should of course always be taken. It’s all about finding the right security level for the app in question – not too light, without going too far into overkill.

How do I know if my app is secure?

Follow standard procedures, ensure all industry standards are met in development and ensure that proper penetration testing and vulnerability testing have been completed on the system before release – and kept up with afterwards.

How will I know if my app has been breached?

The biggest red flag is unusual activity from the user who has been breached. Expect to see loss or duplicating of data that is unexpected on the server. It may simply be a user complaining about something changing on their app that they did not do themselves.

What do I do if there is a breach?

Under GDPR, you have 72 hours to gather all related information and report data breaches to the relevant regulator, and must notify without undue delay all users whose privacy or personal data is likely to have been affected.

It is general good practice to enforce all users to change their password. It then becomes a case of damage control, by trying to isolate – based on the logs – what was accessed, and putting in place new precautions.