Eight security issues to prepare for in mobile app development

Thousands of new apps hit the market each week. At the same time, thousands of hackers work hard to tap into these apps to try to phish for user information or implant malware. That means app developers have to be vigilant about security to protect users. As an app developer, you need to know how to avoid the eight security issues most widely affecting users today.

Trusting Built-in Platform Security

Image via Flickr by Alexandre Dulaunoy

You can choose from myriad app development platforms, but none are immune to security issues. For the longest time, Apple’s iOS platform has been considered the most secure because all apps go through a screening process before being approved for users. Unfortunately, this doesn’t guarantee all of Apple’s apps are secure, because the screening process can’t account for every malicious program or person vying to break through.

Android takes a different approach to security by approving all new apps and letting users sort out the good ones from the bad ones with reviews. Both systems have their flaws, and it shows you can’t trust any app platform to protect its users entirely. There are just too many variables for app platforms to consider.

Using Code from Other Developers

It takes a lot of time to develop an app from the ground up, but there’s no need to do so when so much free code exists to build on. Some hackers create code in the hopes that app developers pick it up to use in their apps. This gives hackers access to any information they want after the app’s release.

There’s nothing wrong with building upon the ideas of others, but you have to do your research. Make sure that if you use code from a third-party source, you can trust it’s not going to cause security issues. Read the code line by line to look for phishing scams and only use verified and trusted sources for code.

Not Planning for Data Caching Vulnerabilities

Mobile devices are fundamentally different from standard laptops and desktops in that they store short-term information as long as possible (caching) to increase speed. This makes mobile devices more susceptible to security breaches because hackers can access cached information easily. To avoid the problem, you can require a password to use an app. Of course, app users often find passwords inconvenient, which can hurt the popularity of your app. You can try another solution to data caching vulnerabilities by programming the cache to automatically be wiped every time the mobile device reboots.

Foregoing Thorough Security Testing

As the app developer, you’re the last line of defense. If you don’t ensure your app is secure, you put all of your app’s users at risk. That means you should never rush to release an app before you have properly tested it. Test every inlet for security issues, including the camera, GPS, sensors, and even the platform itself. No app is safe from the attacks of viruses and malware.

During testing, avoid allowing users to see crash and debug logs. These are often the first places hackers look for app vulnerabilities. As an app developer, you can disable the NSLog statements on iOS. This action increases the speed of the app, too, which your users will appreciate. The Android debug log is typically cleared when a device is rebooted, but an app is vulnerable until that happens.

Not Using Encryption or Using Weak Encryption

Technology is constantly improving, and as a result, encryption algorithms become obsolete and easier to crack. Sensitive user information is at risk if you use weak encryption or decide not to use it at all in your app. Many apps require users to input sensitive data, such as credit card numbers or personal identification information. Without good encryption, this information can be hacked. The more popular the app, the more likely it is to be hacked, too. So, invest in good encryption if you want your app to be at the top.

Forgetting to Plan for Physical Security Breaches

There’s not much app developers can do to prevent mobile devices from being stolen or lost, but implementing a local session timeout code does help. Basically, users must periodically enter a password to get into an app. Instead of happening daily, it could be something like entering a password once a week or every five times they use an app. Sometimes, mobile devices have software that remembers passwords, but the local session timeout prevents this.

Not Implementing Secure Communications to Servers

Most apps that handle sensitive user information connect back to a server. Therefore, you must make sure the transit is safe. You don’t want anything intercepted on an insecure WiFi connection. This type of security is mainly achieved through encryption and SSL certificates. If you fail to use the proper SSL libraries, it can compromise user information.

Patching Your App Too Slowly

You’re not done after you launch your app. Hackers work fast. They look for apps that don’t release security updates often, and then exploit those security holes. You need to revisit the app often to perform security updates. However, patches can regularly take time to reach users. For instance, Apple’s approval process can take as long as a week. Plus, all mobile device users have to accept and download the patch. If you don’t stay on top of new security updates, patches will take too long to reach users, putting their information at risk.

There’s no margin for error when apps deal with things like customer credit cards and personal information. The repercussions of a security breach are catastrophic to an app developer. Don’t get caught unaware and unprepared. Make the necessary precautions to protect your app and its users.

Securing Outside the Box

It’s critically important to consider all of the various techniques for securing an app through intelligent development decisions. For enterprises developing and deploying apps internally to their employees, there are additional tools to consider. An enterprise mobility management (EMM) solution provides protections typically not addressed through direct app development. These protections start with the basic and most important, detection and remediation if an iOS device is jailbroken or an Android device is rooted. If all the built-in security of the mobile operating system has been removed, no app specific protections are going to keep the data safe for long, as all the above techniques build upon the inherent mobile OS security features.

Beyond jailbreak and root security, an EMM solution can provide enterprise authentication requirements before launching an app and the ability to apply various security policies to prevent data breach. For example, the app and the device may be secure, but what about the data transmissions? Can those transmissions only happen over a secure channel? Will you allow the app to transmit if connected to an untrusted WiFi network? These and many other vulnerabilities can be addressed by the inclusion of an EMM solution in the enterprise.

The combination of development strategies combined with EMM is the most comprehensive way to insure that devices, apps, and the critical data they contain stay safe in an unsafe digital world.