At personal and corporate level mobile security has becomes a major issue today, for both developers and users. Any mobile app can be a success if it provides a good user experience, more importantly, a safe user experience.
In 2011, The NewYorkTimes reported that hackers attempted to log in to Sony’s PlayStation networks and tried to access the login data from other third-party web sites and sources. Most users use the same username and password for multiple accounts and the hackers tried to take advantage of this user behavior pattern. The company has to request users to reset their passwords to make the whole process more secure. That was a major blow for Sony and they lost user trust.
Hence, the main concern for any mobile app developer is to provide security of mobile application, through all the stages of app development and deployment. In order to ensure that your application remains safe and secure; you should follow these 7 steps in all the phases of your application development.
1. Starting From the Beginning – Integrating Security
Security is the main concern for any application to be successful in the market; developers should include the task of securing the app as an important part in app development from the beginning of development.
Including security in each stage of application development and planning out your initial app design strategy reduces the chances of security risks during the later stages of app development. It also results in saving time, effort and money, which you may have to invest later.
At this stage, you can also prepare some security protocols as security which you have learned from your past developments. List down all the major security issue that may be raised in future and take extra care to find solutions for them.
2. Designing the App – Secure User Interfaces
The weakest link in any security system is the end user. Most of the security holes have been caused by weak passwords; unencrypted files left on unprotected devices and successful social engineering attacks. So, as a developer, it’s your responsibility that your application’s user interface enhances security by making it easy for the user to make secure choices and avoid costly mistakes. For this,
- Always try to keep your application’s default settings as secure as possible. For example, try to provide minimum privileges to the application that is launched by your app. By default your application should use SSL, if it requires a connection with the Internet.
- Instead of expressing technical details to the user, details is expressed in terms of consequences or trade-offs.
- If you are providing any security features, then make it clear to the users, For example, if your application requires users to click on some button, to view the license agreement terms or certificate, chances are that most users will never realize that this feature is available in your application.
- Most people believe that security and convenience are incompatible, but that is not always true. In fact, the user shouldn’t be provided with the choices between convenience and security as in that case most users would choose convenience. So, usually a simpler interface is the most secure one.
3. Secure Storage of Local Data
Mobile devices store the information in different kind of files, databases and many more. It may happen that the user forgot to wipe the data before transferring the device to any other user or if the device is lost, a user’s information will be compromised. So, developers must be very careful while storing sensitive information in the device.
As explained above, don’t prefer to store any sensitive information on a device because there is always a risk of data being stolen. In case if there is a specific need to store data on a device, then it can be properly encrypted to prevent from the leak.
For iOS, one can use Open Source SQLCipher extension to the SQLite database to encrypt SQLite database files with AES 256 and to securely store local data such as passwords and encryption keys. Keychain Services are provided while Android provides access to encryption APIs via the javax.crypto libraries.
4. Protect Network Communications
- You may see that many famous and successful apps can’t run completely on the mobile device. Mobile platforms offer a variety of networking options for mobile applications to access network-attached resources.
- As the local storage of application information increases the risk of security with some memory-management issues (devices contain low memory), it is very important to store your information on some server and pull or push data from/to the server when you needed (Just In Time).
- The risk is not only in storing data locally. Communicating with servers without the use of proper encryption techniques is also equally risky.
- Basic encrypted communication mechanisms such as SSL sockets and HTTPS web requests are accessed by most of the mobile platforms. For more advanced networking options, iOS documented the details under the title “Networking and Internet in iOS” while Android has android.net package. Use these options in your app development phase to provide users with secure communication of data on the network.
5. Use of External Libraries – Don’t Trust Blindly
- As external libraries contain the code developed by some third developer, the risk of security to be compromised is always there. A small amount of insecure code can pose a risk to the overall security of users’ systems.
- As a developer, you should properly analyze and study the code before integrating the third-party libraries into your own project. You should test code for invalid and unexpected data (unit testing) with static code analysis.
- Always pay special attention to the code that communicates over the network, deals with potentially untrusted data (documents or URLs), and handles passwords or other similar sensitive information.
- You should notify users about what information is sent or received over third party servers and the reason for sending and receiving it.
- Always prefer APIs that take security into consideration in their design and try to use the security features provided by the appropriate OS.
6. App Sandboxing
The recommended way to do privilege separation (providing different levels of privilege to different components) is to use App Sandbox. A non-sandboxed app is accessed by any resources. The Security of your app is compromised when your app or any frameworks against which is linked, contains security holes. In this case, an attacker can take control of that app and can do anything that the user can do. In this case, app sandboxing can provide defense against corruption, theft, or deletion of user data even if an attacker has exploited security holes in your app.
By enabling App Sandboxing, your app gets a basic level of system access and you can add other privileges by adding entitlements. Apple has already provided a detail explanation on how to design app sandbox. It describes how your app interacts with the system and also allows users to transparently grant additional access to your app, which in turn provides more security to your application.
7. Securely Test and Deploy the App
As mentioned earlier, security should be considered in each phase of application development, this phase is not the exception from this. Actually the final phase requires more attention as it’s the last chance for the team to pick those security holes that may break your application in the future. In order to pick those holes and to ensure that your app is completely free of security and other issues, you need to test your app fundamentally. Prepare documentation for all these processes and build proper test cases, before testing the app so, a professional team can use them to create a systematic analysis of your app.
You have successfully followed the all the security terms in all the phases of app development, but if you made any security mistakes at the time of installation or deployment of the app then the security of your app will be compromised. Deployment of application includes installation and configuration of the app to make it available for users. Ensure complete app security, the production team should work in tandem with the security team.
Further by performing these steps, an organization should schedule mandatory security training on a regular basis and ensure that each developer takes part in the training session, so that they can understand the best practices for developing quality apps. App developers should follow these appropriate strategies to effectively tackle issues about app security.
Although performing all the above steps doesn’t provide 100% security to your app, they reduce the security chances of your app to be compromised. At the end, it is your responsibility to perform security analysis on a timely basis, eliminate newly found security holes and update the application to make your application secure and popular (with good ratings, of course) among the other thousands of the applications on app stores.
This is a guest post by Bhavin Chitroda is a Software Engineer working with Azilen Technologies. He is a geek and developing Mobility Solutions by inventing Mobile Applications for different sectors. He is techy and to play with technologies is his hobby. You can find his development solutions at stackoverflow and can also connect at Facebook and Google+.