Mobile app development: security matters, not just customer experience
2018 will mark the 10-year anniversary for both the Apple App Store and Android Market. It’s only 10 years and yet the impact that mobile applications have had on our lives has been so strong that it made us forget “how we lived before”.
There are millions in circulation and available in the App Store, from consumer to business and, in general, their success is almost always due to the mix between ease of use, effectiveness of functionality and great customer experience. Looking at the consumer world, the broader the audience that an app can achieve more consistent is its success not so much as popularity but as a return in terms of profit. Instead, looking at the professional/business world, the more an app is reliable and effective compared to the specific needs of those who should use it in the world of work, the more widespread will be its success compared to the competition.
But there is an important aspect that deeply affects both consumer and business apps and is security. The so-called “mobile security” (in the meaning of security by design of applications developed for mobile devices) is a critical element for the success of an app, so as to affect the customer experience that not only must be increasingly immersive but also ensure security on several fronts.
A market that shows no sign of failure (but which is the subject of attacks)
According to AppAnnie, at the end of 2017, App Store and Google Play had respectively over 2 million and over 3.5 million apps available with an average of new app launches ranging between 50,000 and 100,000 apps each month. Such high numbers are justified by the fact that, according to reports, in all mature markets, users spend an average of two hours a day — one month per year — using smartphone apps.
In 2015, the global business volume from the app market amounted to $ 69.7 billion. Statist predicts that by 2020 the turnover will rise to 188.9 billion dollars with profits from stores and in-app advertising. A market, therefore, that promises to grow again and in a decisive manner.
Besides these very comforting numbers for those who develop apps, there is however a point of view that should not be underestimated, namely the growth of cyber threats that target mobile applications.
According to the latest McAfee Mobile Threat Report violations are growing steadily in proportion to the high volume of downloads and use of the app, which become a good “catchment area” to spread new cyber threats.
The McAfee Labs identified and analyzed, in the last quarter of 2017 alone, over 16 million mobile malware, almost double the previous year. At the beginning of 2018 the company had classified over 4 thousand families of specific threats for mobile apps (with thousands of possible variants) ranging from Trojans detected in Mobile Banking applications to malware clickers (fraudulent advertisements, manipulated to allow developers of the app themselves to have more profits).
The apps for digital payments, those related to health monitoring but also those of instant messaging and voice assistants — just to cite some examples — are the main vehicles of these potential threats, being “containers” of data of enormous value .
What would the users say if a very useful and well designed app, also from the point of view of the user experience, was vulnerable to access and use of data? Overall, would the customer experience be considered satisfactory? And what about the reputation of the brand and the trust placed in it by the customers?
Security by design: because it becomes a pillar for the development of the App
The security of an app should be a priority from the very earliest stages of development, from the first moment you start to study the requirements and write the first lines of code. That’s why we talk more and more often about security by design.
Most of the so-called “security flaws” (the vulnerabilities through which malware can be triggered within apps) can be prevented by thinking about the risks and the effects they can have on code, data and users in development, even before starting the tests.
The type of operating system, the application structure, the individual functionalities, the libraries, the APIs (programming interfaces) are all factors to be taken into consideration. The challenge for developers is to find the perfect balance between security and user experience because if it is true that a secure app transmits trust to users is at the same time undeniable that strict security procedures or that limit the functionality and services of a application become easily synonymous with “bad experience”.
Tips: how to guarantee the security of the Apps
App security is not a feature or an advantage of an application on the other, if only we think about the familiarity with which today we use smartphones and digital services bringing in the app and letting through them a huge amount of personal information (sometimes even vital) or business, it is well understood that security is an absolute necessity for any type of app. And it’s up to the developers that it’s up to the first big challenge, to design intrinsically safe applications and services. But what are the aspects on which they have to pay the utmost attention?
Here are 5 points to keep in mind to ensure security in the app:
- to write a safe source code: bugs and vulnerabilities in a code are the starting point that most hackers use to enter an application trying to change and tamper with the source code. It becomes therefore of fundamental importance to start from here writing a code that is difficult to interpret and overcome (for example, “obfuscating” it so that it can not be decoded);
- to encrypt all data: every single unit of data that is exchanged on an app must be encrypted so that, even if the data contained therein are stolen, there is no possibility of reading and understanding this information;
- to be cautious with libraries: the need to release more and more rapid the app has led developers to use development libraries produced by various companies and other developers; a very common practice that requires developers to pay more attention to verify and test these libraries before implementing them in their app to avoid transferring vulnerabilities or even malware to them. As an example, the GNU C library had a security flaw that could allow attackers to remotely execute malicious code and block a system; a vulnerability that has remained unknown for over seven years;
- to use only guaranteed APIs: the same caution that must be reserved for the libraries must be transferred to the use of the programming interfaces. We think of APIs for the development of geolocation services, these help developers to build the service much faster but if not secure they become the tool through which it is possible to access sensitive user information;
- to insert high-level authentication into the app: some of the biggest security breaches occur due to weak authentication, perhaps based on a simple ID and password (easily hacked by cyber-criminals); in order to make an app more secure, developers should introduce “strong” authentication functionality, for example that based on two factors (in addition to ID and password, a temporary code is required that is sent in real time to the user’s mobile number) .
These are some of the general suggestions deriving both from our experience and from the global community of developers, which nevertheless leave out what should be the general attitude when it comes to security by design, ie the process of continuous improvement dictated not only by the fact that threats evolve but also the expectations of users change and consequently also their needs in terms of experience.
If you like this article, let us know with your claps!