Information Security in Mobile App Development

cisco-paper

When we think mobile, we think apps – 86 percent of time mobile users spend with their phones they spend with mobile apps. The number of apps grows exponentially, while their quality, on average, moves in the opposite direction. Therefore, frauds, hackers, and victims are here to stay. Another factor contributing to vulnerability of our “mobile ones” is the emerging concept of Bring-Your-Own-Device (BYOD). According to the recent study over 55 percent of companies allow their employees to install enterprise or work-related apps on their personal mobile devices; even more, 67 percent, allow installing unverified apps on the work devices. This state of affairs greatly increases the risk of data leaks, malicious transactions, and corrupted information. In the follow-up paragraphs we will look into the main endangered areas in mobile apps environment, and will give suggestions on how to leverage information technology security in order to prevent losses and grievance.

Data Storage

There is hardly any mobile app which does not ask a user to feed it some data: be it registration credentials, credit card number, or demographic information. Oftentimes, we naïvely believe that this data is taken care of responsibly and securely by the app provider. But this is far from reality. For example, a very popular Starbucks app, which is widely used by the US coffee-lovers to pre-order and pay for their purchases, confessed to have stored the usernames, email addresses, and passwords(!) in clear text on user’s device. Can’t a Fortune 100 company hire developers who understand the importance of information systems security? Especially, when not only customers’ finances, but also company image is at stake. As obvious as it seems, data storage security is neglected much too often to be accidental. What’s more, users tend to have the same password for multiple apps (it’s easy to remember), so once villains get hold of one, they may automatically have access to several others.

The solution is pretty straightforward, if sensitive data is stored on the user’s side, it should be thoroughly encrypted and stored in a secure section of the mobile operating system. Ideally, you do not want to store passwords and credit card numbers on user’s device whatsoever – dedicated server or protected cloud storage will work best.

Data leakage

Companies striving for perfection in customer service and satisfaction are in a constant search for data telling them more about people’s habits, behaviors, lifestyles, etc. And that’s what makes digital marketing better and better. However, there is a fine line between getting customer information for internal marketing efforts and violating personal data confidentiality. Many popular mobile apps (e.g. Angry Birds) were noticed to collect such player’s info as gender, location, age and more (without letting people know) – this is a vivid example of a leaky app.

Avoiding unwanted leakages from your app is possible by double-checking the third party statistic servers that may be used as intermediaries and which security options you do not have control over.

Poor cryptography

Using no encryption is plain risky, while using obsolete cryptographic algorithms is risky and misleading. The latter gives you false confidence and peace of mind, which can, however, turn into a splitting headache when you least expect it. Some encryption algorithms (such as MD5 or SHA1) are no longer considered sufficient for mobile apps security. Reinventing the wheel by creating your own encryption algorithm in-house is also not the best idea – this cannot be done as a side project (too critical for that), nor can it become your top priority project (you already have one).

A third of mobile app development companies never check their products for security. You don’t want to be one of their clients! Be sure to find contractors dedicated to highest security standards, and who apply tries-and-true best practices and test their apps for penetration by modelling different kinds of potential threats.

Authentication and authorization

Information security articles keep emphasizing the utmost importance of these two, however, information security newskeep reporting how failure to ensure decent level of authentication/authorization resulted in countless troubles. If the app for a password only once (upon first login), it adds to ease of access, convenience, and usability. But what if your phone is stolen? Will you still be happy about the seconds you saved by not re-typing the password? Unlikely.

Making it as hard as possible for malicious users to impersonate as device user or bypass the authentication procedure is critical, and being implemented professionally ensures sound sleep for you and your clients alike.

What is information security mostly concerned with? All of the above and much more. In a word, it’s all about making sure information is provided to and received by the desired addressee only. No matter which information security definition we choose, the essence and stakeholders are the same – transmission of data from point A to point B without loss or interference, ensuring customer satisfaction and boosting your brand reputation and bottom line.

Please, estimate my article. I did my best!
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 3.00 out of 5)
Loading…