Top 3 New Year Security Resolutions for Mobile App Development
by Mary Min
We’re already a week into the New Year, but if you’re like me, there’s still time to start putting your 2016 resolutions into regular practice. Along with hitting the gym and staying in touch with your loved ones a bit more, here are three practices we strongly recommend mobile app developers start doing this year:
Regularly Conduct a Thorough Code Audit/Review
In the rush to ship an app, we write a lot of spaghetti code and temporary band-aids to just get the darned thing to work. In doing so, we increase the chance that the product ships with code that just shouldn’t be there — temporary code, test code, hard-coded values, etc. Finding and removing all this code can be a daunting task, and you definitely don’t want to let thousands of lines of bad code to accumulate. That pretty much insures an audit/review will stay on your “to do” list for the rest of the year. Instead, resolve to block off some time every day or week to review and clean up your code base; that way, it’ll be far easier to manage.
While you’re at it, another important, related task is to make sure your code is up to the latest requirements from Google Play and Apple’s app store. Apple’s IPv6 support requirement has gone into full effect, and the iOS developer community is already reporting that apps have been rejected for not having IPv6 support, or for having IP addresses hard coded into the source code. Android policies and requirements also change from time to time, so avoid having your app removed from the Play store by making sure your app is fully compliant.
Check for Unauthorized Versions of Your App
Get in the habit of regularly Googling “[name of your app] + crack, [name of your app] + hack” and other variations of that query. If you have a paid app, search “[name of your app] + free”; if it’s free and ad-supported, Google “[name of your app] + ad free”. The results will sometimes surprise you, displaying unauthorized versions of your app in other marketplaces. Just last month, a Unity developer reported trouble with an infringing copy of his game on the Amazon app store. Ironically, Amazon reviews app submissions before allowing them into the store, yet failed to catch that someone other than the original creator posted a copycat app — but that happens often.
If you do find unauthorized versions of your app, take the time to communicate to the app stores and request a takedown. Sometimes invoking the Digital Millennium Copyright Act gets their attention and produces results; other times, you may find yourself in a long and frustrating struggle. (I covered such a case in a Gamasutra post last year, along with advice on dealing with stubborn infringers.)
Which takes me to my next and final resolution:
Review security measures around your app — not just the app itself
Many developers only worry about the security of their app client, but that’s only the start. Let’s make 2016 the year of full spectrum security. Start by answering these questions:
- Are you using secure communication methods? Hackers can sniff out packets of data or initiate man in the middle attacks on unsecure communication channels. If you’re not using SSL, consider implementing it ASAP.
- How secure is your server? The server is your Fort Knox, where your most valuable data is stored. But what are the measures you’ve placed around that server? Examples of the latest server-side security breaches include Anthem , LastPass, and Time Warner Cable. originated from the data stored on servers. Do a thorough evaluation and beef up server security where needed.
- How are you writing and storing data? Last November, Touchnote suffered a data breach of their app in which sensitive user information was leaked. It’s critical to make sure you are storing data in encrypted form, and that all sensitive data is sent to the server through a secure communication.
To be sure, security starts with your client app, and we regularly hear about mobile apps from major companies being compromised. Avast found a vulnerability in a major retailer’s app just last month.) We of course recommend taking a look at AppSolid, our own app security solution.
In any case, have a happy and secure new year. And don’t forget to call your mother more.
Mary Min is head of global business development at SEWORKS.