Mobile App Security
So you wish to tie a mobile app into your current commercial offering or you have a great new concept; now’s the tricky part of ensuring everything is secure from day one
In the world where Hacking, data leaks, data security and cybercrime is more prolific than ever, security needs to be top of everyone’s list when reviewing any mobile app product.
Not only for the obvious reasons, but the last thing any Entrepreneur wants is the negative press, or millions written of their mobile app valuation due to a security flaw. So here is our 10 top tips to ensure your mobile app hits the ground securely and smoothly
1) Proper planning and strategy from day 1.
Security should be part of the mobile app development process from the very first planning session. Regardless of the product or your development method. Security should be front and centre stage so that every initial feature or later; functionality revision is reviewed with security in mind.
2) Don’t depend on third partys.
The majority of developers sit on Stack overflow. Plus there are numerous third party SDK’s and API’s to integrate with. But you should never rely on third party code. A survey by NodeSource found that only 16% of developers trust the third party dependancies they use.
Developers should be reliant on their own skill base and if any third parties modules are used; these are properly picked appart and reviewed not only to ensure they’re fit for use, but to ensure they’re secure and complaint.
3) Don’t depend on third partys!!
I say it again to drive the message home. API’s provided by third party’s are an essential part of programming. But you should never assume their safety. Make sure the APi’s you are using are accredited, secure and verified for the platform you’re developing on.
4) Minimalize Permissions
Limit the amount of permissions granted. Never create whereby users share a one ‘Master’ log in credential’s. We have seen this so many times and it opens you up to so many attacks. Users or machines should only have the bare minimum access to pull in or push the information required for that particular task.
That way, should the worst happen, information is limited to a minimum
5) Implement Sliding access tokens
Here at tappable, we’re all about the user. Sliding access tokens are not only a user friendly way to manage user logins, but they can be easily revoked to enhance your security.
6) Test, test, test
The obvious points are always the one’s most over looked. Any good testers methodology should be concerned with not only testing from a users perspective, but mainly from a security perspective.
Whilst good planning and strategy looks to eliminate the number of doors in… implementing with any third party opens extra unwanted doors. Review every potential security hole you can find, then implement additional security to fix and secure it.
You need to think like an attacker here, whilst all code reviews include time looking at ways to break an app, you should not stop at obvious flaws. Even when the product works, testing is not even 50% done.
When testing, especially on mobile devices which are subject to a wide variety of variables; you need to be accounting for everything — every conceivable action or edge case.
7) Implement Tracking & Analytics
Not only does Analytics provide good insight into product performance and user behaviour. But it allows you to track malicious activity and keep an eye on bad intent
8) Don’t be lazy and store everything on device
It’s scary the amount of products we review and simply have to say ‘Sorry, it’s quicker to start from scratch again’
This isn’t us being arrogant. It isn’t always because when we look under the hud that the code base is horrendous (although this accounts for 90% of the cases we look at)
But it’s the simple things like not encrypting, or storing too much data on device so it’s just there for the plucking.
Writing code is easy. Creating a successful product which is secure, takes advantage of opportunities in the market place, gives benefit’s to users and provide a ROI is what set’s agency’s such as tappable apart.
9) If you store sensitive or personally identifiable information on a users device; encrypt it.
With latest data protection laws, GDPR is hot topic. But a lot of this is simply common sense. With VPN’s, SSL and TLS — there are many ways to secure users data during transit. If you’re sending and receiving data; simply encrypt it so it can not be intercepted or mis-treated.
10) Smoothly
Whilst the 9 points above are all about security. It is only fair for one point to specifically focus on ‘smoothly’
Security has to be at the forefront of minds and management at all stages of app product creation. However, the security systems implemented cannot be at the cost of performance and user experience.
Be mindful of file size, runtime memory, app performance and data and battery usage when adding security measures to an app. If your intended method is at a detriment to the above, then chances are your method is wrong and it’s back to the drawing board. There is a wealth of ever changing options out there and it’s imperative they are implemented in the correct manner to not only ensure they are implemented correctly, but that they co-exist and add too, rather than detriment, the performance of the mobile app product.
