98% of mobile apps aren’t secured against hacking threats. 75% fail even the most basic security tests, and 96% can easily be reverse engineered. Let that sink in for a moment. That means that almost all of the apps on the market today directly threaten the financial, emotional, and even physical well-being of their users. For app developers, this presents a dire warning: secure your apps now, or place your customers in danger, thereby losing their business and your reputation.
AppSolid offers an antidote to this increasingly threatening mobile app landscape. We provide binary protection — the most secure offering in the industry. Don’t leave security to chance. Here are the hidden risks of hacking you need to know.
Insecure Data Storage
Virtually all apps house a variety of sensitive consumer data — from credit cards and health data to passwords and bank account details. This data should be guarded like it’s cash or a high-value piece of art. But all too often, app developers require consumers to disclose and save a veritable cornucopia of data, then fail to hold up their end of the data protection bargain. Consumers should be required to use a password to access sensitive data, and must re-enter that password each time they re-access the data. Anything less leaves data unsecured.
Weak or No Encryption
Mobile apps’ ability to accept data from a range of sources makes them uniquely vulnerable. Apps that do not encrypt data, or that only do so very weakly, make their customers, the platforms on which the apps reside, and their businesses vulnerable to hacking attempts. Starbucks unfortunately was one victim, acknowledging that in 2015, criminals broke into individual customer rewards accounts. Encryption might have prevented this disaster.
Hosting Security Holes
Mobile apps on consumer devices are just one portion of the hacking equation. The servers that host your app data are also a target. The servers upon which you created your app need sufficient controls to protect your app’s data. Hosting level data should only be accessible to authorized personnel such as employees. Otherwise your app is vulnerable even before it lands on a consumer device.
The advent of easy outsourcing sites means that many mobile app developers are outsourcing portions of development to the lowest bidder. Others repurpose code they find online. There’s nothing inherently wrong with either practice, but both warrant a healthy dose of caution. Outsourcing development can put your app in the hands of inexperienced developers, as well as malicious actors who insert malicious code. Inexperienced developers may inadvertently create insecure apps, and some may even share code with third parties.
Using code you find online is equally risky, since hackers routinely insert malicious code into instructions online. Even if the code is not deliberately compromised, you have no guarantee of its quality. Proceed with caution when any portion of your app is developed by someone other than you or your staff.
No matter how secure your app is, there’s one security hole you might not be able to protect against: behavioral engineering. This strategy involves hackers tricking consumers into providing sensitive data by claiming to be a relative, a foreign dignitary wanting to send money, or even a customer service representative. Providing information about known behavioral engineering schemes can provide some protection. Ensure also that you do not have public lists of customers, since this makes it easier for hackers to select targets. And, of course, by only requiring consumers to provide information that is absolutely vital, you reduce the damage that a behavioral engineering-based hack can cause.
Android-based applications run on the client side, which means that the app code is accessible on the user’s device. This makes Android apps inherently less secure, particularly when they employ inadequate security protections. Injection attacks pose a powerful threat, particularly if more than a single user account is located on the same device.
Session Handling Issues
Perpetual sessions are inherently risky. If a consumer’s device is stolen, the thief can easily see data entered into the app or on your website. The dangers of improper session handling don’t even require a device theft. A consumer who leaves her phone at a restaurant may leak data to a nosy restaurant owner. A child may even log onto his parent’s device and access sensitive information, initiate bank account transfers, or gain access to credit card numbers.
Your device should automatically end sessions after a specific period of inactivity — usually 10 minutes. This is particularly important if you handle sensitive financial data.
The Inability to Wipe Data
When a device is stolen, it’s wide open to hackers and other criminals — unless a consumer can wipe the data from an app or device. Consider allowing your users the option to virtually remove data from your app in the event of a theft.
Broken or Outdated Cryptography
Cryptography, like any other science, is constantly evolving. The strategy that worked last week, last month, or last year may not be effective today. Ensure that you are using stable cryptography that hasn’t been broken.