Rules are made to be broken, right? Maybe. Some mobile application security taboos are relics of a bygone era — or the product of mistaken security wisdom. Sound mobile application security is constantly changing in response to cultural shifts, emerging threats, and new technologies. So the rules you thought you knew might be the very rules you now need to break. Here are some mobile application security rules that no longer apply, at least in some cases.
Everyone in app development knows that applications must be secure. That’s true, of course, but there’s a corollary that’s not true: that applications are either secure or insecure. Security exists on a continuum, and there’s no such thing as an app that’s always, everywhere, permanently secure. Just ask companies that have invested millions in security and still been hacked.
That doesn’t mean you must resign yourself to insecure apps, of course. You must adopt every measure possible to secure your apps, because the price of failing to do so is exceedingly high. The problem lies with believing that security is a binary state. An app is either secure or not. The security of various apps ebbs and flows with cultural, political, economic, and user factors. The best mobile security protocols take these factors into account, adjusting as needed.
Every business has an obligation to maximize profits to its shareholders. But sometimes the taboo against spending money in the present ends up costing companies dearly in the future. Mobile security should not be a race to the bottom. Companies that spend the least on security stand to lose the most in the end.
Failing to secure your apps can yield massive costs, including:
There’s a myth that mobile app security has to be complicated. If you run a small business that contracts out app development, it’s easy to be taken in by jargon. The truth is that the best solutions are not necessarily the most complicated. What’s more, if a security solution requires a lot of user knowledge, it may backfire.
Here’s a case in point: two-factor authentication is quickly becoming the gold standard for apps that host highly sensitive data. Yet many users have neither the time nor the technical expertise to use or understand two-factor authentication. So they may choose a less secure app, or find ways to circumvent two-factor authentication.
What does all this mean? The best security solutions are those that cater to your least knowledgeable consumer. Otherwise you lose customers, or endanger customers who can’t adequately implement the security patches you advise.
There’s a secondary consideration here, too: some developers who contract with small businesses offer a lot of technical expertise, and even more jargon. Not all small business owners are highly knowledgeable about app development or the security it demands. This makes it hard to cut through the fat and determine whether you’re being offered a quality security solution. If you can’t understand what you’re being promised, odds are good it’s not what it appears to be.
Password rules are growing more and more complicated, and some have complicated themselves into ridiculousness. This makes it hard for users to remember their own passwords, and in some cases, to even come up with passwords that comply with increasingly complex rules.
So what do users do? They turn to password managers and written password logs. These pose their own security issues. They also create confusion and annoyance when users lose them.
It turns out all this annoyance is for naught. Complex passwords aren’t much safer, and long passwords may actually be the better option. If hackers are going to use a brute force attack to guess users’ passwords, then the more digits they have to guess, the better. And if they’re going to try to guess passwords built around familiar words, then strings of familiar words are safer. This all points to a simple, yet effective, violation of common wisdom: Don’t make users construct long passwords that follow fanciful rules. Ask them to use long passwords.
A few other simple rules offer further protection:
Sending a verification text to ensure a device hasn’t been stolen seems like a great idea — until you consider that, if the device is stolen, the thief will get the verification text anyway. But an older user or one who is unfamiliar with texting might be confused by the process. Arbitrary events that trigger the need for additional authentication don’t offer much in the way of additional security.
They do, however, frustrate users. Thieves and criminals can easily circumvent these protocols, but legitimate users who are not technologically savvy may struggle with them. That’s a bad outcome for everyone. Rather than constructing layers of authentication, focus on using established security protocols — good encryption, server-side security, minimal storage of sensitive data, regular security patches, etc.
In the popular imagination, hackers are computer geeks spending their lives behind a computer, desperately looking for their next chance to wreak havoc with users and the apps they love. That’s why it’s so important for an organization to hire a team of employees and contractors who know security inside out. After all, trusting your team is the only way to consistently expand security and implement new ways of protecting against emerging threats. Right?
Think again. Most security threats actually come from within a company. Some of the biggest security breaches began with a disgruntled employee or a contractor with nefarious intentions. And while we don’t want to encourage a culture of paranoia, it’s important to be realistic: trusting your employees too much is a recipe for security disaster.
Every organization is different, but a few simple rules can reduce the threat that employees pose:
We’re not going to tell you secure storage is unimportant. The problem lies with thinking that any storage solution can be completely secure.
Today’s small businesses and app developers face a clear tension: information reigns supreme in an information era, but the more data you store, the more you put your users at risk. Most businesses try to resolve this tension by making their storage as secure as possible. That’s a bad tactic. The better strategy is to store only the information you absolutely need.
Consider also educating users about how you use their data. Urge them to routinely backup and delete data if doing so is appropriate for your app. For instance, a photo editing app could store thousands of photos. Consumers might think no one wants to see their photos, but hackers will take anything they can get their hands on. Urge users to backup their photos and regularly clear data from the app. Otherwise they’re effectively waving a flag to hackers.
The National Security Agency (NSA) is the keeper of the United States’ most closely held secrets. The agency is so secretive that agents used to deny that it even existed. So when word came that the agency had been hacked, it sent shock waves through the security industry. After all, if the NSA could be hacked, who couldn’t?
An investigation quickly revealed that a popular Russian anti-virus program was the culprit. Using a simple man in the middle attack, Russian spies were able to access some of the most sensitive data the NSA wanted to protect.
There’s a lesson here: no single solution can offer full protection to your mobile applications. You should not trust anyone who tells you otherwise. Anti-virus programs are routinely hacked. Even the best cloud storage can be compromised with enough effort. And no password is absolutely bulletproof, particularly not without two-factor authentication.
While we’re at it, let’s dispense with some other myths:
The problem with all-in-one solutions isn’t the solutions themselves. It’s that they inspire too much trust, too much complacency. If you’re pinning your hopes on a single anti-virus platform or firewall, you’ll probably make costly security errors that put users at risk.
At AppSolid, we do things differently. We don’t promise that a single protocol will protect users. Instead, we monitor for emerging threats and take proactive steps to protect against them. That’s the only way to do things. There’s no such thing as set-it-and-forget-it mobile security. Don’t believe anyone who tells you otherwise.
This one’s actually true. App users consistently report that they hate password rules, hate apps that lock them out when they don’t install updates, and despise being forced to back up and clear their data. Here’s the thing: they hate being hacked even more. Sometimes you have to do something consumers don’t like to get them to protect themselves. That means requiring them to follow simple password rules and making it easy to install security patches.
Of course, you can make the process less painful by incentivizing the behavior you want. A little psychological knowledge goes a long way. Have a security patch you need users to install. Pair it with a new feature everyone wants. Users get the patch and the feature, and everyone is happy. The more you can make security measures seem like something good for the consumer, the more inclined users are to go along with it. But when doing so is impossible, you have to take a gamble and force users to follow some simple security rules.
Those rules vary with the market, and from industry to industry. You still must identify them and urge users to follow them. Otherwise you could be stuck paying the price.
Overwhelmed by the challenges of implementing sound app security? Let AppSolid educate you about today’s emerging threats, and offer you simple, elegant solutions that lower your exposure and protect your users. We’re industry leaders who innovate, stay ahead of the curve, and consistently deliver more than we promise.
Credential leaks have become alarmingly common in today's digital landscape. What's more concerning is that…
Automated penetration testing has become a new way to replace and/or complement the traditional manual…
According to Gartner, OT (Operational Technology) is “hardware and software that detects or causes a…
One of the most effective ways to identify security weaknesses is to simulate attacks with…
Cybersecurity is essential for every organization, not only for enterprises but also for SMBs and…
Software development is a complex process that typically requires a lot of time and effort.…