Over the past decade or so, there’s been a pronounced shift in the way that users all around the world have been adopting technology into their everyday lives. The biggest part of that shift has been the steady migration away from desktop computing environments and onto mobile platforms like smartphones and tablets. In fact, by late 2016, mobile internet usage had surpassed desktop internet usage for the first time, and that trend has continued until today. That change in user behavior has spawned a boom in the number of mobile apps brought to market to cater to the preferences of the Internet-connected public.
That boom hasn’t come without some significant issues, however. Chief among those issues has been a disturbing lack of app security measures that have led to some high-profile data breaches. The problem is so widespread that recent research has uncovered the fact that as many as 85% of all apps violate security standards in one way or another. For developers, that means it’s well past time to go back to basics and recommit themselves to learning and applying the appropriate cyber security features in every new app they create. To help, here’s an overview of what to pay attention to.
First, Understand the Subject
One of the underlying problems fueling the insecure app epidemic is the fact that many developers fail to learn the basics of cybersecurity as a core part of their professional development. It’s an oversight that could cost them in the long run in lost business and reputational damage. Fortunately, it’s not a problem that’s difficult to remedy. These days, it’s a trivial matter to find thorough training in cybersecurity best practices from any number of reputable sources both online and through traditional educational institutions. Taking the time to master the topic helps developers to think beyond their own code and understand the complex interplay of the apps they’re developing and the broader internet, which allows them to address security vulnerabilities throughout the app ecosystem. Once they’ve got the right knowledge, it becomes easy to put it to work.
Start With the Code, Work Your Way Outward
To create an app that adheres to security standards, the obvious place to begin is within the app’s code. This is where the most important foundational security measures will exist and is the biggest single vector of attack for those looking to compromise the app’s security. To keep things secure, make sure to:
- Always encrypt code to prevent reverse engineering or credential harvesting while at rest
- Employ obfuscation techniques at every level possible within the code
- Embed runtime application self-protection (RASP) in the app
- Conduct thorough code reviews to look for vulnerabilities at every stage of development
- Minimize required app permissions whenever possible
Adding the above features and procedures in an app’s development helps to minimize the chances of a successful outside attack, and using RASP provides an excellent security net to stop any successful penetration in its tracks before any harm is done.
Secure all Network and Backend Calls
Even though the bulk of the code necessary for a mobile app will reside on the device that’s running it, they don’t exist in a vacuum. For that reason, it’s essential to always make sure that whatever backend systems the app will connect to are protected from attack and that all calls to it are sufficiently secured. To do that, consider these options:
- Keep all backend databases encrypted and enforce strict connection encryption via SSL or TLS 1.2 or above at all times
- Employ federation in backend infrastructure to keep sensitive data on separate servers to decrease vulnerability
- Conduct thorough network penetration testing for all systems that will interact with the mobile app to eliminate any attack vectors that could be used to poison the connection between the app and its backend system
With the supporting infrastructure secure, it becomes far more difficult for any malicious attacker to leverage a compromised app to gain access to any data stored outside of the confines of the affected device.
Focus on Strong Authentication and User Authorization
The last thing to consider when seeking to build a secure app is to make sure that anyone that interacts with the app has appropriate access levels and is in fact who they claim to be. That means addressing login and user permissions for the front-end of the application. That means:
- Minimize 3rd party API interactions, as they provide outside access that’s beyond the app’s control
- Make use of JSON Web Tokens (JWT) to facilitate secure authentication data transmission
- Implement OAuth2 framework to control access and include two-factor identification wherever applicable
Preventing unauthorized access at the device level is just as important as securing the app’s code and backend systems because an improperly authenticated user can wreak havoc due to the permissions conferred to them which are necessary to operate the app. It’s also the one part of app security that the developer can’t control directly, so every effort must be made to limit the ability of users to inadvertently compromise their own security.
From the Ground Up
Any developer that takes care to secure their software by using the concepts outlined here will stand a very good chance of producing a secure and attack-proof app. Of course, this is not an exhaustive list, as every individual app will carry specific requirements and use risks that could require additional security measures. It is, however, an excellent starting place when building an app from the ground up, and with any luck, will help to reverse the dismal cybersecurity track record of the app development industry as a whole. Now that you know what to do, it’s up to you to get to work!