Most app developers during the app development process aren’t usually thinking about security and data privacy. They’re thinking about how they can make an app that users love. Besides, what could go wrong? A lot actually.
“Just because a mobile site is meant to be viewed on a mobile browser with limited functionality doesn’t mean an attacker can’t load it in a normal browser and have full use of their powerful tools to bypass authentication, find vulnerabilities in non-standard encryption and ultimately crack the site.“
— Pete Soderling, founder of Stratus Security
Developers who skimp on security during the development process face serious risks to attacks, damage to their reputation, and loss of profitability. Therefore, when designing your app make sure you understand and protect your app against 3 of the worst security dangers.
Untrusted Inputs and Data Sources
Mobile apps can accept data from a plethora of external sources, some malicious in intent. If your app is not encrypted, attackers can easily modify inputs such as cookies and environmental variables, bypassing your security.
For instance, a simple link found in the contents of an email gave hackers unwarranted access to Skype, allowing them to dial arbitrary phone numbers. Last year, a bug in the iPhone 1 OS allowed hackers to listen in on private phone conversations. These are only two examples out of dozens that show what happens when your app is not properly protected.
Because mobile apps receive data from a variety of sources, security decisions on authentication and authorization must be checked. If you fail to review all unintended consequences or security flaws during your app development process, you will put both consumer and enterprise data at risk of falling into the wrong hands.
Mobile apps glean the kind of personal information businesses would pay thousands for. While personalizing your marketing to directly reach out to consumers provides tremendous opportunities for consumers and businesses alike, gathering this data also leaves it vulnerable to being compromised.
Last year, the media reported that the NSA had tapped popular smart phone apps like Angry Birds in order to gather massive amounts of personal data including age, location, gender and more. Leaky apps like these pose significant risks for developers if they fail to properly secure and keep consumer data private.
However, consumer apps are not the only apps at risk. Many healthcare apps designed for patients suffering from chronic diseases use analytics to track a patient’s condition. If someone were to ever steal this data and learn the medical condition of the user, it would place the provider in direct violation of the HIPAA compliance.
App developers must use the utmost caution when tracking and storing data. Knowing what, how, when, and where the data moves gives a hacker a ripe opportunity to steal a gold mind of information.
Insecure Data Storage
The Starbucks mobile app is by far the most popular and actively used mobile payment apps currently in the U.S. All consumers have to do is enter their passwords only once to make a payment, and they can make as many purchases as they want without having to enter their password or username again. However convenient it may be, Starbucks had confirmed that their app stored usernames, email address, and passwords in clear unencrypted text
All it takes is for someone to get access to your phone, connect it to a PC, and they can easily find your password and username. But it doesn’t end there. Most people use the same username and passwords across systems, so unauthorized individuals would have all that’s needed to login to the Starbuck’s website as well. If one particular password is compromised, there’s also the potential that additional user accounts are compromised.
Developers must design apps so that sensitive information including passwords and credit card numbers are not stored directly on a device. But if developers allow this information to reside on a device, it must be stored securely.
If designing an app for iOS, for example, always store passwords within the encrypted data section of the iOS keychain. For Android, passwords should be stored and encrypted in the internal app data director, while also ensuring ‘disallow backup’ is checked.
For both experienced and inexperienced app developers, security should be as important as design and functionality in the app development process. In fact, before even beginning the development process, developers should always think through the security and the flaws of their app design.
Otherwise developers face serious risks and legal repercussions that could literally stop them from making apps altogether.