15 Dec 2016, Katarzyna Lorenc 15 Dec 2016, Katarzyna Lorenc Project Management App security: top 10 risks and how to deal with them 36 views According to the 2016 State of Application Security report, 90% of 126 tested apps had at least two critical security vulnerabilities. So if you thought mobile security isn’t a particularly pressing concern these days, now you see why you could be making a huge mistake. Check why app security is currently an extremely important issue, what dangers developers should take into account while creating a mobile app and how to prevent such crises. WHY SHOULD YOU CARE ABOUT APP SECURITY? App security is today a top concern in mobile. And with good reason – recent study from the Ponemon Institute on expenses involved in data breach issues revealed that the average organizational cost of a data breach incident in 2015 was a smashing $3.8 million. What’s more, money is not the only price you pay for security issues in your mobile product. You’ll also lose the trust users placed in your app, compromising the strength and credibility of your brand. So what to do to prevent such situations? Here are 10 top app security risks together with bulletproof tips to help you mitigate them and develop a reliable mobile product that offers a great user experience and keeps user data safe. 1. DATA STORAGE VULNERABILITIES Mobile devices store short-term information for as long as possible. Caching this data is their passport to increasing speed. And we all know that users hate lagging apps, so caching is inevitable. However, this type of data storage makes mobile devices more susceptible to security breaches as cached information is relatively easy to access. What type of data we’re talking about? Here are some of the most common pieces of data stored on mobile devices: Usernames Passwords Authentication tokens Location data Personal data (address, credit card data) Application data (application logs, cached app messages, transaction histories) One way to ensure greater security of data stored in your app is to require a password. However, you have to bear in mind that users don’t like passwords, so think twice whether implementing this solution will actually be better for your enterprise or discourage users. Another strategy to mitigate data caching risks is to program the cache to be wiped automatically every time the mobile device reboots. 2. LACK OF SUFFICIENT TRANSPORT LAYER PROTECTION Mobile apps usually exchange data in a client-server fashion. You can only imagine that in case of insecure apps, third parties will be able to see that data which is traveling across the carrier network and the Internet. These malevolent third parties are commonly called threat agents. They can be users who are local to your network due to a compromised or monitored WiFi. A potential threat agent can also be the carrier or network device – anything from proxys to cell towers and routers. A different type of threat agent is malware that has been installed on the user’s phone prior to the app in question, too. The best way to protect the users of your app against this threat is to take extra care about the coding quality. Remember to add a transport layer protection to make the data journey as secure as possible. 3. NO SECURITY TESTING When you’re rushing to release your app, security might not be your top concern. But it’s not smart to release a product without having it properly tested for data breach threats first. When testing your app, make sure to check every inlet for security. This include sensors, camera, GPS, or the platform itself. Your app can’t be completely safe from malware or viruses, but testing allows to spot the potential weak points in your app. A word of warning – never let your users see your crash and debug logs. They’re full of information that helps hackers to pinpoint potential vulnerabilities of your app. Remember that the Android debug log is cleared when a device is rebooted, but your app is vulnerable until that moment. If you’re developing an app for iOS, make sure your developers disable the NSLog statements – this step will boost the speed of your app as well. 4. WEAK ENCRYPTION If you think an encryption algorithm is bulletproof, you’re making a huge mistake. Technology is constantly evolving, and older encryption algorithms become easy to crack. By not paying enough attention to the encryption technologies used in your app or deciding not to use them at all, you’re asking for trouble. If your app requires users to input sensitive data such as personal identification or credit card information, you simply need excellent encryption. 5. INSECURE COMMUNICATION WITH SERVERS If your app handles sensitive information, it will be accessing particular servers. You need to ensure that these have strong security measure in place to prevent unauthorized users from accessing data stored on them. Whether you’re storing app data on your own servers, or servers of a third-party system, you need to make them secure with SSL certificates and encryption. 6. POOR AUTHENTICATION/AUTHORISATION MEASURES Both the app and the systems to which it connects should be protected with proper authorization and authentication measures. That’s how you make sure that all users, devices and systems are authorized to transmit data to the app. Unauthorized users, devices, and scripts will be identified and blocked. 7. HANDLING OF UNTRUSTED INPUTS If you believe that inputs such as environment variables, cookies, or hidden form fields can’t be modified, you’re putting your app at risk. A hacker can change these inputs with customized clients. If you make any authentication or authorization decisions on the basis of this input, the app’s security will be compromised. You can deal with this risk using good encryption, integrity checking, and other mechanisms that will pinpoint inputs coming from the outside. 8. SIDE CHANNEL DATA LEAKS You need to prepare your app for a side channel attack as well. It’s an attack based on the data from the physical implementation of an encryption system. It’s directed at weaknesses in your encrypting algorithms. That’s why you should ensure that it’s not easy to monitor the movement of data in your app. Hackers watching how your data moves, or when and where it’s transmitted will be able to identify and exploit security holes in your encryption. 9. RISK OF CLIENT SIDE INJECTION If you’re developing an Android app, you should remember that your app will be downloaded and run client side, which means that its code will reside on the device of its user. And since any source of data can be a point of injection, you risk that a hacker performs an SQL Injection on the client device. Ensure that developers follow platform-specific practices to mitigate this risk. 10. BAD MANAGEMENT OF SENSITIVE INFORMATION If your app gets hacked, your own data might be at risk as well. It can be easily used by hackers to mine other systems for access to accounts, credit card data, usernames, passwords, and others. Scan your data for vulnerability caused by breaches to keep a close eye on this risk. EXTRA TIP: HOW TO PROTECT YOUR APP AGAINST PHYSICAL SECURITY BREACHES? You can’t prevent a mobile device from being stolen or lost. What you can do is implement a local session timeout code which will require users to periodically enter a password to access the app. It doesn’t have to be daily – it can be weekly, or every five times they use your app. KEY TAKEAWAY The above list of top app security risks should be enough to convince you that app security is a serious issue. And the more popular your app gets, the more susceptible it will become to hackers. To prevent those risks, when developing your app, make sure to cover all these vulnerability points and build a product which guarantees high security of user data. Following these tips, you’ll be on your way to delivering an app which offers a fantastic and secure experience. How to develop an app in a smooth and easy way? Check our guide. Katarzyna Lorenc Marketing Specialist you might also like 11 May 2017, Katarzyna Lorenc Project Management Hiring a dedicated app developer: pros and cons Project Management 11 May 2017, Katarzyna Lorenc Hiring a dedicated app developer: pros and cons Check what is the most effective way to hire a reliable IT specialists for your short-term in-house project. 22 Jun 2017, Katarzyna Lorenc Project Management [Whitepaper] Why to choose a mobile app developer from Poland? Project Management 22 Jun 2017, Katarzyna Lorenc [Whitepaper] Why to choose a mobile app developer from Poland? Check why Google, IBM and Microsoft decided to outsource IT development to this Eastern European country. 30 Jun 2016, Michał Kowalski Tips & Tricks 6 creative user acquisition strategies for mobile apps Tips & Tricks 30 Jun 2016, Michał Kowalski 6 creative user acquisition strategies for mobile apps No app has ever achieved success without a solid user acquisition strategy. After all, it's users who are your target market and generate revenue from your app. They also serve as social proof to other users who are considering to buy your app. Here are 6 creative user acquisition strategies to help you develop a successful tactic for your app.