Apps have become a way of life. After all, we live in a world where there’s no truer saying than “there’s an app for that!” As stated by experts at RapidAPI, “Apps are designed specifically to operate with a mobile device’s specifications in mind, completely eliminating the need for a laptop or desktop connection to the internet. Why do on a desktop what you can do on your smartphone?” After all, the mobility and convenience that apps provide make them one of the easiest ways to access information, get tasks done, and meet our various needs.
Mobile Apps are Increasingly Unsafe
However, alongside this ease of access, comes a heightened threat to data security. In fact, today, most apps available on the App Store or Play Store do not undergo vetting. In an interview with Douglas Maughan, who heads up the Department of Homeland Security’s Science and Technology division, Maughan tells Fox Business News that “Mobile applications are put out on the app store [but] they’re not really checked. When people download applications, most people don’t know what they are downloading. They don’t know what’s in that software.”
Without even taking malicious apps into consideration, legitimate apps also have many security flaws that hackers can easily exploit. For instance, an article on The Hill cites the example of Telegram. Telegram’s “secret chat” feature allows users to send encrypted messages. However, the security of this feature is sub-par. The article states, “By simulating an attack that gains permissions by running a kernel exploit, our research team was able to uncover and read Secret Chats written in plain-text in the process memory. Not so safe after all.”
However, Telegram isn’t an isolated example. A majority of mobile apps have security vulnerabilities. This could possibly be because apps are so easy to make, and today can be developed by almost anyone with some technical know-how. Therefore, this results in a slew of apps made by people who don’t have a background in security and seem to overlook the importance of cybersecurity in app development.
In fact, an HPE Cyber Risk Report found that almost 75% of the mobile apps it scanned contained a “critical or high-severity” vulnerability. Out of all the app flaws in the report, two of the most worrisome include “insecure transport” and “privacy violation”. Insecure transport essentially means that the apps’ information wasn’t adequately encrypted, making it easy for hackers to exploit. Privacy violations refer to the fact that the app is reading too much information, which one could misuse if it ended up in their hands.
These findings echo a study by assistant professor Samuel Thompson, from the Collat School of Business at the University of Alabama at Birmingham. The study investigated four dimensions of access to personal information (personal identity, location, device content, and system and network settings) afforded by mobile app usage. Results showed that participants’ app usage was most affected by concerns about surveillance. Additionally, intrusion and secondary use of personal information were big concerns.
Combating the Problem
With this information in mind, mobile developers need to do as much as they can to ensure that app data stays secure. Therefore, here are some things developers can do (and are already doing) to safeguard mobile apps:
Hire a Security Team
Incorporating a security team is a great way to ensure that apps are safe from the very start of the development process. A security team should be given adequate resources so as to thoroughly do their job, as well as complete access to the app and associated development procedures. Any changes or revisions should be discussed with the security team so that appropriate measures can be put in place, well in time.
Test and Review the Code
Obviously, a crucial step in properly developing an app is to to write secure code. That being said, it’s easy to overlook vulnerabilities and bugs at first glance. Thus, it’s important to test and retest the code at every stage of development.
An article on TechRepublic states that “60% of developers lack confidence in the security of their code, yet don’t take steps to fix it.” The problem, as mentioned in a report, is that many developers simply aren’t testing their code. App security shouldn’t be a task that developers tackle at the end of the development process. Rather, it should be integrated into every step of the process through constant reviews and testing. This way, if a bug shows up, they can fix it immediately.
Use the Principle of Least Privilege
Experts at Tripwire write that the principle of least privilege dictates that “a code should run with only the permissions it absolutely needs and no more.” So, an app should not ask for any more privileges than the absolute minimum required for it to function properly. For instance, if the app does not need access to a user’s contacts to run, then this information should not be asked for. Using this principle ensures that unnecessary network connections are not made, and reduces the risk of data loss or theft.
Carefully Consider What’s Being Stored on a Device
Personal data stored by an app makes for an extremely easy target. Either delete this data, or move it to a secure location. The TechRepublic article states that best practice involves encrypting any sensitive information that is stored on a user’s device.
It’s important to note that even data on app servers is not void of risk. If an app requires sensitive data to function, developers must take the time to fully assess and determine the best place to store this data — both for the user’s sake and to maintain their own company’s reputation.
Use High-Level Authentication
Weak authentication is the cause behind some of the biggest security breaches that have occurred to date. Thus, it is more important than ever to employ strong authentication. As noted by Tripwire, authentication refers to “passwords and other personal identifiers that act as barriers to entry.” A big part of authentication depends on users themselves, but app developers can actively encourage users to be more mindful about authentication as well.
For instance, developers can design apps to only accept strong passwords that require frequent renewal. Multi-factor authentication, which involves a combination of a static password and dynamic OTP, is another way to promote better app security. Finally, if an app requires a lot of sensitive information, biometric authentication (like retina scanning or fingerprints) can be considered.
Considering both the widespread use of mobile apps and a rise in cyber-threats worldwide, security is a crucial step in the development process. Developers must understand the dire consequences of data breaches and take steps to minimize the risks posed by unsecured mobile apps. The negative impact of stolen and lost data from insecure apps are numerous. The real victims are the users who struggle to regain their lost data and are vulnerable to identity theft. These are just some of the steps developers can take to ensure that their data is safe. Moving forward, app developers must take a more comprehensive approach towards development, and prioritize data security above all else.