There’s no stopping the popularity of mobile apps these days, but developers need to start thinking about upping their game when it comes to protecting their apps from malicious attacks. Mobile apps are just as vulnerable as web-based apps when it comes to hackers and harmful attacks, so security should be a top priority for developers, along with making something that’s innovative and fun to use.
With that in mind, we’ve put together some important security tips for mobile app development.
Many developers tend to have a habit of seeing security as one isolated step, rather than using a systematic approach; this type of thinking is the reason holes can be found in a supposedly secure app. Instead of making security an afterthought, it should be integrated into your entire development process. Top tip: carefully look over your entire code base and check that there’s no gaps you’ve forgotten to cover.
Know your enemy
If you know the type of threats you need to protect against, you’ll be well on your way to developing apps that pass the test in terms of security. A great place to check for the latest threats is the mobile top 10 report www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks from the Open Web Application Security Project (AKA OWASP), which details the 10 biggest security threats to mobile apps. It’s updated annually and should be checked whenever you’re developing anything new, as it’ll give you a good idea of the type of security measures you should be implementing.
Use a reliable security framework
All of the biggest operating systems already have tried and tested NIST-certified frameworks, and where possible you should stick to these, rather than trying to come up with your own. This is the most surefire way to ensure your mobile app will not be vulnerable to any security breaches.
Include certificate pinning
There are valuable lessons to be learned from the issues Apple experienced with their ‘goto fail’ bug, which managed to bypass SSL certificates without verifying the certificates’ authentication. You must ensure you verify your certificate back to the source in order to prevent any attacks that may occur during requests.
Secure data at rest
Particularly if you’re handling sensitive data, you need to ensure it is protected at all times. You can do this by erasing the data ASAP, or shutting down whatever you don’t need while you’re producing your app. You could also try a solution for asymmetric encryption, which secures your data at rest with private keys that are never included on the actual devices you use.