Think your mobile application is secure because users must use a password, or because you use some encryption? Think again. Mobile application security is constantly evolving. This makes it a complex undertaking demanding ongoing attention. It’s not something you can just set and forget.
A partnership with the right security firm, however, can save you time and money. Whether you do it yourself, hire a service like AppSolid, or do some combination of the two, here’s what you need to know to secure your mobile app.
Understand Why Mobile App Security is So Important
Small businesses have a million and one things on their plate. The last thing many of them want to do is manage complex security issues. We understand that security issues can be time-consuming and expensive. It’s easy to implement some basic security measures, and then assume it’s all taken care of.
Don’t do this. You might think that security issues won’t affect your business, and that savvy consumers will take proactive measures to protect themselves no matter what you do. But leaving it up to the customer is a dangerous game -- one that can endanger your business, your reputation, and your livelihood.
Understanding how mobile application threats can directly affect your business may motivate you to make sound security decisions. Consider the following:
- Even the hint of a mobile breach can give rise to litigation. Customers may sue your business or developers to recover what they’ve lost. Even if the breach is not your fault, you could shell out hundreds of thousands of dollars in attorney’s fees before it’s all over.
- If a mobile breach is your fault, a court could find you legally responsible. This could subject you to even more attorney’s fees, court costs, and of course large lawsuit awards.
- The marketplace is increasingly competitive. Consumers know that mobile application security is important. So they choose businesses that offer the best security—or, at least, that appear to. This means that a single breach can undermine your reputation and give your competitors an edge, even if the breach is not your fault.
- Consider how much you spend on marketing. Consider how much more you’ll have to spend if your business faces a crisis due to a mobile breach. All that money you’ve spent building a sound reputation will be wasted.
- It’s not just customers at risk from mobile application threats. Competitors may target your intellectual property to edge you out of the market. Criminals may target your business accounts and other valuable data. If you don’t secure your application, you could become a target.
- Depending on where you do business and the nature of a mobile application breach, you could be subject to government or other regulatory actions if your failure to secure your mobile application puts customers at risk.
Concerned yet? You should be.
Recognize the Extensive Nature of the Threat
To properly secure your mobile application, you must first understand what the threat is -- and where it is. After all, if you don’t think you’re vulnerable, you have little reason to get serious about security.
- Someone steals a laptop every 53 seconds.
- Nearly three-quarters of security incidents come from former employees, yet a third of businesses have no written security policy.
- Just 34% of companies are prepared to respond to a mobile security crisis.
- Twenty-five percent of mobile devices are attacked each month.
75%of mobile apps fail even a basic security test.
- Would yours pass?
- What about binary protection?
- Have you even considered it, let alone implemented it?
It’s the gold standard for securing mobile apps, but just 3% of apps use it.
Are you ready to get serious about mobile security? Here’s how to get started.
Collect the Right Information, the Right Way
Many apps collect and store far more information than is reasonably necessary to function. Do you really need a user’s address, phone number, and credit card number? And are you prepared to secure this vital information? If not, then you shouldn’t collect it. Your cardinal rule for structuring your app should be that you only collect the data you need for the app to run smoothly. And the more sensitive that data is, the more steps you need to take to secure it.
In almost all cases, data is less secure when it’s stored on the device. This creates a challenge for developers, since the nature of mobile apps requires more data to be stored on the device. Thus the less data your app uses and requires from customers, the more secure it is.
The most sensitive data should not be stored on the app. This includes things like stored passwords, private health information, and credit card information.
Encrypt Your Data
Everyone knows that encryption often means the difference between strong security and almost no security at all.
The following encryption strategies can put your app out of the reach of criminals:
- Pick current, well-supported encryption algorithms that are regularly tweaked.
- Encrypt your database.
- Practice file-level encryption for data stored on mobile devices.
- Prioritize encryption key management.
One relatively easy encryption method is containerization, which creates secure “containers” for code and data.
Do your homework before outsourcing encryption. Use only well-known and widely respected security experts or encryption programs. Otherwise something that appears to be encrypted could actually become the source of a mobile breach. Remember that criminals can pass themselves off as a security experts, then use your trust to worm their way into your products.
Protect Against User Error
Criminals don’t actually have to be “hackers” to gain access to sensitive customer data. They just have to be clever. Most people are more trusting than they realize. That’s a good thing for social relationships, but a horrible thing for mobile app security. Behavioral engineering -- manipulating consumers into behaviors that undermine their own security -- is one of the easiest ways to access a device.
Some simple behavioral engineering techniques include:
- Manipulating a consumer to give up her password by claiming to be a customer service representative, pretending to be a friend helping secure the device, or pretending to be a law enforcement officer.
- Gaining physical access to a customer’s device. Many people will willingly hand over their phones to a stranger to show off photos of grandkids or pets. Some will even give away their passwords to help a random person access a program.
- Tricking a consumer into giving up information that might make it easier to guess their password. For example, a friend might use a trivia game as a clever ruse to learn a consumer’s mother’s maiden name, the street the consumer grew up on, and the name of her first pet. Suddenly it’s possible to reset her password by easily answering security questions.
It’s not possible to completely protect against behavioral engineering, since much of it depends on consumer behavior. But a few strategies can reduce the impact of behavioral engineering.
- Educating consumers about the importance of mobile security by explaining to them what can be done with the information they give you. Consider putting a disclaimer on the login page, for example.
- Encrypting data, and storing as little data as possible on the device.
- Only contacting consumers with requests that require their password when absolutely necessary. Provide clear information about when a consumer might be asked to disclose this data.
- Encouraging consumers to frequently change their passwords.
Protect Against Known and Emerging Threats
Hackers are smart. Many of them were once security experts. So don’t think you can address every security threat once, and then forget about it. Criminals will continually try to break through the barriers you create. If you don’t stay one step ahead, you’re bound to find yourself in a security disaster sooner or later.
Some of the new threats developers need to be mindful of include:
- More sophisticated spyware. It’s no longer just criminals trying to gain access to corporate secrets. Some governments want to do it, too. One of the easiest ways to compromise an organization is to install spyware on a mobile device going into that business. These programs run silently, without affecting the device’s behavior, allowing them to leak information for months -- and sometimes years.
- Mobile botnets. Hackers now turn groups of devices into so-called botnets. They can remotely control these devices without undermining their function. In one case, these botnets generated fraudulent advertising revenue, without customers realizing they were participants.
- Dangerous ads. Everyone wants to buy something. More sophisticated algorithms allow advertisers to better guess which products a consumer might be interested in. But criminals want in on the act, too. They can create fake ads for apparently real products, then use those clicks to infect devices or apps.
- Internet of Things malware. This is still in its infancy, but is growing in leaps and bounds. Mobile apps that work with IOT devices may become the testing ground for this emerging threat.
- Zombie apps. If you’re no longer using an app, remove it from the app store, and let users know the app is no longer compatible. Otherwise hackers can turn these dead apps into living zombies that access sensitive user data. Remember to routinely ask employees to remove dead apps from their own phones, too, since these apps can access information about your enterprise.
Security updates save businesses, data, and devices. You must be prompt with devising patches for security holes. And when you don’t have a solution, you absolutely must disable the app or the problematic portion of the app until you can fix the problem. Sure, this means less money and more wasted time. But would you rather spend a few weeks patching a hole, or a few years in litigation over a security issue?
Remember that frequent updates were worthless if consumers don’t install them. So make updates only when necessary, and ensure they don’t fundamentally alter the program without warning. Then require consumers to install the updates to continue using the app.
Be Careful With Contractors
Contractors can be a boon to your business. You don't have to manage employees or worry about hours. Just give a project assignment, wait for it to come back, and then watch the money roll in. Right? Maybe. But as with most things in life, it’s a bit more complicated than that.
We already know that most security leaks come from disgruntled employees. Contractors have even less loyalty to your business. This doesn’t mean you should avoid using them, but you must take precautions when you do.
Some simple strategies include:
- Working with a lawyer to create enforceable NDAs and other protective agreements.
- Forming long-term relationships with contractors, rather than hiring a different contractor for each project.
- Working with established companies instead of individuals. Make sure to check the company’s reputation.
- Carefully vetting each contractor by asking for references.
- Having in-house security check your contractors’ code for hidden bugs and malware.
- Paying contractors fairly and treating them well. Low-paid contractors have little incentive not to seek other money-making opportunities. If a contractor accepts less than the going rate, consider that their motivation might be something other than helping you build an app.
Check Your Code
It’s easy to lift code off of message boards and websites, or to recycle code from old projects. This time-saving strategy can help you rush an app to completion. It can also damage your app before it even gets to the consumer. Criminals often release free code infected with subtle issues such as malware or spyware.
So when you lift code from another source, you need to check each line. Otherwise you could be implanting issues into the code that very few security measures will prevent.
Protect Your Servers
Information you store on your server is generally more secure and harder for hackers to reach. So consider storing as much server-side as you can. But don’t think your servers are immune. Server-side hacks can make your entire company vulnerable, releasing corporate secrets and fundamentally undermining consumer security. Lock your servers up like a fortress. You should also limit who can access them. Change keys and passwords when employees leave, and ensure you’re aware of common server attacks and how to prevent them.
Consider Two-Factor Authentication
Two-factor authentication is the gold standard in security. It’s an absolute must for financial and other sensitive apps. Consider also implementing it on any devices employees use that contain sensitive company information -- particularly those that contain details about apps in development. Remember that hackers can steal data in many ways, including by accessing it on company devices.
Work With a Trusted Security Partner
The reality is that most small businesses simply don’t have the bandwidth to manage mobile security all on their own. They need to outsource encryption and coding, and their problems begin here. The more you outsource, the more you open yourself up to problems at the development level. If you must outsource, then working with a security firm you can trust -- rather than trying to manage it all yourself -- becomes even more important.
AppSolid can help you secure your mobile apps without a lot of work or expense. We’ll help you find and fix security holes, and leave you to do what you do best -- run a business offering apps that make consumers’ lives better and easier, without leaking data.