Tuesday 4 July 2017

7 Tips to Improve Your Mobile App’s Security

source: www.policetechnical.com

As smartphones continue to engrain and integrate themselves into our lives, we’ve come to depend on them more and more as information strongholds.
When we want to make an appointment, we schedule it on our phone.
When we meet someone new, we store their contact information on our phone.
When we want to get in touch with someone, we message them with our phone.
When we want to make eCommerce easier, we store our banking information (credit/debit card information) on our phone.
When we are always on the go, we store our business data on our phone.

Security for Mobile Apps: Why You Need It

Our point today being that our smartphones are a one-stop-shop for all of our information. The problem with this is that we tend to indiscriminately download apps from both authorized app stores such as Apple App Store, Google Play and Amazon Appstore, and unauthorized app stores that have no security requirements.

This is a problem because rogue apps from unauthorized stores may contain malware that steals your information. This problem is furthered by the fact that even apps from authorized app stores can also fall prey to those seeking our data.

Before going forward, it’s important to understand that there are millions of apps available for download, and the developers behind them range in expertise and security concerns. While some may place great value in privacy and security, others may simply want to create apps and don’t think twice about security. This is often seen as a trade-off in the app’s security and the service it provides.
Even worse, some developers link third-party programs like maps or the camera without fully understanding how they’re using their users’ data or whether there may be issues with security. To bypass and alleviate these issues, consider employing the following tips to improve your mobile app’s security.

1: Use Threat Modeling Analysis

Threat modeling is “the process of identifying potential threats and enacting countermeasures to prevent or mitigate them.” Understandably this is is very important, as it offers you the opportunity to analyze your app and see where it’s most vulnerable. The problem lies in the act itself. Many are not familiar with it, others mistakenly do it incorrectly, and yet some don’t even bother because of the intricacies involved.

The thing is, if your app has a security issue and users are not using or downloading it because of said issue, you’re still going to have to go ‘under the hood’ and fix the problem.  The difference is that in one scenario you could have put in the effort in the beginning of the mobile application development process and prevented any problem down the line, and in the other you still have to put in the effort, but this time you’ve also added downtime to your app while you fix it.

2: Implement a Password or Another Authentication Process

source: Toolbox.com
Authentication processes are vital for anything that stores sensitive information. Thankfully for you and I, there are a lot of ways you can go to authenticate users. There’s the basic, a password that serves as first level security, and more protective measures like mobile phone authentication at login. As a side note, phone authentication is a good measure for password resets, rather than using the standard ‘mother’s maiden name’ or ‘the name of your first pet’ questions that can be easily hacked.

3: Ask for Permission

As we covered earlier, mobile apps frequently link to third-party apps/programs to carry out specific tasks that they can’t on their own. For example, you may have a photo editing app that needs to link with your photo library or camera for images, or an eCommerce app that links with you virtual wallet. In these situations, those in which your app needs to integrate another app to perform a function, the user should always be asked for permission to connect. Just remember not to ask for more than they’ll be willing to give.

4: Keep Your App Updated with the Latest Operating Systems

It’s vital that your app is always up to date with the latest operating systems available for the platform it resides in (Android, iOS, etc.). Because these updates regularly include security patches that were found in the time period between then and the previous update, not updating regularly places your app at risk.

5: Use Static Analyzers

There’s no doubting that coding is tedious, and even a small error can result in the whole program crashing. Because of this, many security issues encountered by mobile apps are caused by careless errors that slipped through the cracks. To counter, consider performing a static code analysis to catch anything that you may have missed. If you’re unfamiliar, these static analyzers debug your code by examining it without executing it. In other words, you’re getting an overview of the code structure to make sure that everything is working well together.

6: After Static Analyzers, Perform a Code Audit

Static code analysis is excellent, but sometimes you have to go deeper. This is where a code audit comes into place. While code audits should actually be performed regularly to ensure continually smooth performance, opting for one to catch any bugs is a must. Keep in mind that code audits require more technical security knowledge than the average coder has, so hiring outside help can be useful if you’re not up for the task.

7: Test Your App in the Real World

Finally and when you’ve done with everything related to mobile application development and security, the only recourse left is to test your app in the real world. When it comes down to it, lab tests can do a lot, but they also have their limitations. These alternate ‘field tests’ are perfect for finding issues that your actual users may find because you’re using the app the way they would.
Final Thoughts

If there’s a single thing that you should take from this, it’s that security should be implemented early in the mobile application development process, not as an afterthought. A lot can go wrong from start to finish, and if you’re not vigilant every step of the way, your app can be targeted by those with nefarious intentions. For your benefit, here’s what we covered today and what you should be doing:

1. Implement a password or another authentication process
2. Ask for permission
3. Keep your app updated with the latest operating systems
4. Use static analyzers
5. After static analyzers, perform a code audit
6. Use thread modeling analysis
7. Test your app in the Real World

Best of luck and remember to stay secure!