Do you know what the most important feature developers need to add to their app to make a positive customer experience? According to consumers – app security.
The data shows that 69 percent of consumers believe security is the most critical feature in apps. Further more, 20 percent of consumers said any security mishap would result in them leaving a brand temporarily- whereas, 10 percent said forever.
“Consumers no longer view applications as nice-to-have novelties. They now have a huge impact on customer loyalty,” said Andi Mann, vice president of strategic solutions at CA Technologies.
He adds that “in order to tap into the growth potential of the application economy, businesses and governments must make software more than just a part of their business – it must become their business”.
So how can developers achieve this? Well, for one thing, app developers need to their customers, understand their needs, and ideally, to let them lead. With some recent, high profile hacking incidents and cyber security flaws, the importance of securing confidential customer data on the apps they use is becoming urgent.
With this in mind, here are some key considerations and strategies for safe and secure enterprise app development and deployment.
Pick The Right Kind of App Security
Defining what application security you need is the first step. For instance, if you’re building an app that needs sensitive data such as credit card information, you’ll naturally spend more time and effort on security than you would if you’re building a basic web app such as a game that requires no user information.
Consider these questions before you lay the foundations.
- What data will the app store?
- What kind of data will pass through it?
- What the worst case scenario to a security breach?
- How can they occur?
For example, if a hacker were to secure higher access privileges, how much access would they have? Or, if an employee leaves his or her mobile device at a restaurant or in a taxi, does your app network require a VPN password for access and is that password cached?
Planning ahead is key. Before you begin to develop your app ask who will use it, from which devices they’ll use it from, and what security measures should be in place.
Start From The Ground Up
Consider app security the same way you would when building a house. Facilities such as electricity and plumbing are much easier to incorporate during the construction phase as opposed to after you build the house.
The same principles should apply to app development. Yet, in the era of the agile, developers often prioritize market speed at the expense of app security.
According to the 2014 Data Breach Investigations Report, a global study by Verizon, web app attacks doubled in frequency from 2012 to 2013, jumping from less than 20 percent to 40 percent of recorded security incidents.
Therefore, app security must be built into your app from the ground up, rather as an afterthought. It is much more difficult, time-consuming, and costly to fix something that was flawed from the beginning, rather than doing it right the first time.
The 3 C’s of App Security
When laying the foundation of your app, apply the three Cs of app security. That is, ‘client, context and content’.
The client is a critical component to securing web apps today. When a client connects with the app, ensure their information is verified. For instance, this could include the device type, IP address or the app version itself. Network, device type, user and other operating parameters should be checked on connect.
This will allow you to check client data and IP addresses against malware, phishing attempts, and other suspicious data points to determine whether or not the connection should be allowed.
For example, anti-fraud services are able to determine, in real-time, whether or not a client is compromised, enabling security services to determine the appropriate course of action. When combined with a WAF or strategic point of control in the critical conversation path, this information provides tactical guidance on whether or not a connection should be allowed to continue.
Context and Content
From here you want to check the context. If a verified client happens to make a request, you should inspect those requests to see if there is any bad behavior going on. App security practitioners should check URIs, HTTP headers and especially, cookies.
For instance, the exploitation of HTTP headers has been on the rise. An attack on a vulnerable HTTP header can wreak havoc on your app because it impacts the application platform and its server. As a result, you’ll have to patch up your app, delaying deployment because you’ll have to wait for the vendor or owner to address the issue.
Context is the final point to check. Compare expected length and data types against what is really coming back from the app. Identify any sensitive data in payloads that indicative a failure on the inbound flow.
The expected response should match the request. For, instance if the request is for a single customer record, the response should not contain a list of records. Understanding the on response context, lets you know whether or not requests are coming in too fast – or likewise, responses being accepted too slowly.
At this point, you should know exactly the kind of security you want, the foundations you’ll build it on, as well as fulfilled the three Cs of security.
The next process to ensure your app is secure is to 7 of the steps below.
- Query parameterisation
- Secure password storage
- Contextual output encoding XSS defence
- Content security policy
- Cross site request forgery
- Multi factor authentication
- Forgotten password security design
A Final Thought
After an assessment of 7 million iOs and Android Apps, U.S. firm FireEye found that more than five billion downloaded Android apps are vulnerable to cyber attacks and malware on account of security vulnerabilities in the Android OS.
“We reviewed popular apps (those with more than 50,000 downloads) to assess their exposure to the JBOH attack. Nearly a third, 31 percent, were vulnerable… Of these JBOHvulnerable apps, 18 percent fell into categories with potentially sensitive data: finance, medical, communication, shopping, health, and productivity” states the FireEye Mobile Threat Report.
As more security firms are finding out just how vulnerable apps are, customers are growing more determined to ensure their data is secure.
For app developers to continue offering a positive customer experience, they’ll need to start taking app security seriously, or else face the risk of losing many customers, and inevitably- profits.