Mobile Application Security Taboos You Should Break

Rules are made to be broken, right? Maybe. Some mobile application security taboos are relics of a bygone era — or the product of mistaken security wisdom. Sound mobile application security is constantly changing in response to cultural shifts, emerging threats, and new technologies. So the rules you thought you knew might be the very rules you now need to break. Here are some mobile application security rules that no longer apply, at least in some cases.

Applications Are Either Secure or Not

Everyone in app development knows that applications must be secure. That’s true, of course, but there’s a corollary that’s not true: that applications are either secure or insecure. Security exists on a continuum, and there’s no such thing as an app that’s always, everywhere, permanently secure. Just ask companies that have invested millions in security and still been hacked.

That doesn’t mean you must resign yourself to insecure apps, of course. You must adopt every measure possible to secure your apps, because the price of failing to do so is exceedingly high. The problem lies with believing that security is a binary state. An app is either secure or not. The security of various apps ebbs and flows with cultural, political, economic, and user factors. The best mobile security protocols take these factors into account, adjusting as needed.

The Money You Save on Security Updates is Worth It

Every business has an obligation to maximize profits to its shareholders. But sometimes the taboo against spending money in the present ends up costing companies dearly in the future. Mobile security should not be a race to the bottom. Companies that spend the least on security stand to lose the most in the end.

Failing to secure your apps can yield massive costs, including:

• Attorney’s fees to defend yourself against lawsuits.
• Legal settlements.
• Lost reputation and a lost customer base.
• Public relations costs to regain your reputation after a breach.
• Regulatory fines and penalties, particularly if you work with governments.

The Best Security Protocols Are Highly Technical

There’s a myth that mobile app security has to be complicated. If you run a small business that contracts out app development, it’s easy to be taken in by jargon. The truth is that the best solutions are not necessarily the most complicated. What’s more, if a security solution requires a lot of user knowledge, it may backfire.

Here’s a case in point: two-factor authentication is quickly becoming the gold standard for apps that host highly sensitive data. Yet many users have neither the time nor the technical expertise to use or understand two-factor authentication. So they may choose a less secure app, or find ways to circumvent two-factor authentication.

What does all this mean? The best security solutions are those that cater to your least knowledgeable consumer. Otherwise you lose customers, or endanger customers who can’t adequately implement the security patches you advise.

There’s a secondary consideration here, too: some developers who contract with small businesses offer a lot of technical expertise, and even more jargon. Not all small business owners are highly knowledgeable about app development or the security it demands. This makes it hard to cut through the fat and determine whether you’re being offered a quality security solution. If you can’t understand what you’re being promised, odds are good it’s not what it appears to be.

Passwords Should Never Be Simple

Password rules are growing more and more complicated, and some have complicated themselves into ridiculousness. This makes it hard for users to remember their own passwords, and in some cases, to even come up with passwords that comply with increasingly complex rules.

So what do users do? They turn to password managers and written password logs. These pose their own security issues. They also create confusion and annoyance when users lose them.

It turns out all this annoyance is for naught. Complex passwords aren’t much safer, and long passwords may actually be the better option. If hackers are going to use a brute force attack to guess users’ passwords, then the more digits they have to guess, the better. And if they’re going to try to guess passwords built around familiar words, then strings of familiar words are safer. This all points to a simple, yet effective, violation of common wisdom: Don’t make users construct long passwords that follow fanciful rules. Ask them to use long passwords.

A few other simple rules offer further protection:

• Make password questions easy to answer, but hard to guess. A mother’s maiden name or a child’s birthday are easy to find out. Asking a user their age at their first kiss or what animal they’re afraid of makes guessing a lot harder. Construct some novel password retrieval questions, then let users select among them.
• Require users to periodically change their passwords. This is the best way to ensure that an attack on another site doesn’t end up affecting user accounts on your site.
• Discourage users from saving their passwords on their devices. They’ll be less tempted to do so if they’re not forced to remember complicated nonsense passwords every time they log in.

More Authentication is Always Better

Apps often require users logging in on a new device to verify the device. Or if users are logged in on their laptop and then try to login on their mobile device, they might have to prove their identities. These ideas are great in theory, but they violate a simple rule of device security: the least sophisticated user must be able to easily follow the security protocols you require.

Sending a verification text to ensure a device hasn’t been stolen seems like a great idea — until you consider that, if the device is stolen, the thief will get the verification text anyway. But an older user or one who is unfamiliar with texting might be confused by the process. Arbitrary events that trigger the need for additional authentication don’t offer much in the way of additional security.

They do, however, frustrate users. Thieves and criminals can easily circumvent these protocols, but legitimate users who are not technologically savvy may struggle with them. That’s a bad outcome for everyone. Rather than constructing layers of authentication, focus on using established security protocols — good encryption, server-side security, minimal storage of sensitive data, regular security patches, etc.

You Must Trust Your Employees

In the popular imagination, hackers are computer geeks spending their lives behind a computer, desperately looking for their next chance to wreak havoc with users and the apps they love. That’s why it’s so important for an organization to hire a team of employees and contractors who know security inside out. After all, trusting your team is the only way to consistently expand security and implement new ways of protecting against emerging threats. Right?

Think again. Most security threats actually come from within a company. Some of the biggest security breaches began with a disgruntled employee or a contractor with nefarious intentions. And while we don’t want to encourage a culture of paranoia, it’s important to be realistic: trusting your employees too much is a recipe for security disaster.

Every organization is different, but a few simple rules can reduce the threat that employees pose:

• To the greatest extent possible, foster a collegial environment in which employees feel valued. Address complaints properly. Don’t allow bullying or abuse. Disgruntled employees do things they might otherwise never consider. So keep your organization safe by fostering a culture of loyalty in which employees feel like they matter.
• Don’t give employees more information or access than they need. At many organizations, information becomes a currency of power. Employees gain access to more information based not on their need to know it, but on their position in the company hierarchy. Yet what happens when these employees leave? What if they’re angry? Information begins to leak. Make permissions clear, and change them as your organization’s needs change. No one should have access to everything. Segmentation of information is your ally in the fight against employee-based hacks.
• Be careful with contractors. People with no loyalty to your organization have little reason not to share information. Know who your contractors are, and make them sign agreements that clarify their roles and duties.
• Disseminate clear rules for secure app development. One simple way that employees can get into trouble is by using open source code they find online. Enterprising hackers can implant malicious code in lines of quality code. Clear protocols for what code can be used and under what circumstances lowers the risk. If you’re not sufficiently knowledgeable to institute such protocols, hire a security team who can.

Secure Storage is Important

We’re not going to tell you secure storage is unimportant. The problem lies with thinking that any storage solution can be completely secure.

Today’s small businesses and app developers face a clear tension: information reigns supreme in an information era, but the more data you store, the more you put your users at risk. Most businesses try to resolve this tension by making their storage as secure as possible. That’s a bad tactic. The better strategy is to store only the information you absolutely need.

Consider also educating users about how you use their data. Urge them to routinely backup and delete data if doing so is appropriate for your app. For instance, a photo editing app could store thousands of photos. Consumers might think no one wants to see their photos, but hackers will take anything they can get their hands on. Urge users to backup their photos and regularly clear data from the app. Otherwise they’re effectively waving a flag to hackers.

There’s an All-in-One Solution

The National Security Agency (NSA) is the keeper of the United States’ most closely held secrets. The agency is so secretive that agents used to deny that it even existed. So when word came that the agency had been hacked, it sent shock waves through the security industry. After all, if the NSA could be hacked, who couldn’t?

An investigation quickly revealed that a popular Russian anti-virus program was the culprit. Using a simple man in the middle attack, Russian spies were able to access some of the most sensitive data the NSA wanted to protect.

There’s a lesson here: no single solution can offer full protection to your mobile applications. You should not trust anyone who tells you otherwise. Anti-virus programs are routinely hacked. Even the best cloud storage can be compromised with enough effort. And no password is absolutely bulletproof, particularly not without two-factor authentication.

While we’re at it, let’s dispense with some other myths:

• The next big thing that promises absolute security can’t deliver on that promise.
• No program is completely secure.
• There’s no such thing as 100% security. Security is an evolving science.

The problem with all-in-one solutions isn’t the solutions themselves. It’s that they inspire too much trust, too much complacency. If you’re pinning your hopes on a single anti-virus platform or firewall, you’ll probably make costly security errors that put users at risk.

At AppSolid, we do things differently. We don’t promise that a single protocol will protect users. Instead, we monitor for emerging threats and take proactive steps to protect against them. That’s the only way to do things. There’s no such thing as set-it-and-forget-it mobile security. Don’t believe anyone who tells you otherwise.

Users Hate Being Forced to Do Things

This one’s actually true. App users consistently report that they hate password rules, hate apps that lock them out when they don’t install updates, and despise being forced to back up and clear their data. Here’s the thing: they hate being hacked even more. Sometimes you have to do something consumers don’t like to get them to protect themselves. That means requiring them to follow simple password rules and making it easy to install security patches.

Of course, you can make the process less painful by incentivizing the behavior you want. A little psychological knowledge goes a long way. Have a security patch you need users to install. Pair it with a new feature everyone wants. Users get the patch and the feature, and everyone is happy. The more you can make security measures seem like something good for the consumer, the more inclined users are to go along with it. But when doing so is impossible, you have to take a gamble and force users to follow some simple security rules.

Those rules vary with the market, and from industry to industry. You still must identify them and urge users to follow them. Otherwise you could be stuck paying the price.

Overwhelmed by the challenges of implementing sound app security? Let AppSolid educate you about today’s emerging threats, and offer you simple, elegant solutions that lower your exposure and protect your users. We’re industry leaders who innovate, stay ahead of the curve, and consistently deliver more than we promise.