The everyday smartphone user doesn’t think about data security when selecting or using an app. But app vulnerabilities are becoming increasingly more common.
Just last month, there was a vulnerability affecting more than 1,500 iPhone apps that could allow a hacker, using a MITM (man-in-the-middle) attack, to see their sensitive data. iOS apps aren’t the only ones that have had problems. Last year researchers discovered a vulnerability in the Android OS and used it to hack the Gmail Android app with a 92% success rate. The fun doesn’t stop with the Gmail app—the researchers used this same vulnerability to hack several other apps with an 80- to 90-percent success rate.
Developers must start making security an integral part of the development process, and must stay atop best practices in order to keep their users’ information safe.
When developers don’t take app security seriously, a company can face a PR nightmare if a vulnerability is discovered. The nightmare gets scarier if the vulnerability is exploited. According to InformationWeek, common problems include insecure data storage, weak server-side controls, unintended data leakage, broken cryptography, and security decisions by means of untrusted inputs. When collecting user information, as many apps do, data must be encrypted during transmission and data should be encrypted at rest (in data storage).McAfee zeroed in on this issue. “Researchers found that the vast majority of [Android] apps they studied used insecure communication protocols, meaning they failed to properly encrypt user data. Additionally, of the apps looked into by researchers, 60% were found to be talking to domains that were blacklisted by reputation services—meaning that your personal data is being sent to and shared with unreputable sources.”
Not only can a company depend on a public relations nightmare if a vulnerability is exploited, but there are also many liabilities that come with weak security. There is the literal cost of fixing the app, which can run a company anywhere from $400 to $4,000 (and those costs are from 2009). There are also costs associated with fraud, brand damage, and intellectual property theft.
The Federal Trade Commission recommends app developers start with security when developing a new product. As with any smart device, security should be built into the device. Ideally, security should not be an afterthought. When security is a priority, you can save a lot of stress, money, and time.Someone should be in charge of security. Security should be at the forefront of app development. Designate a security expert to ensure security is checked throughout development. Use high-level encryption for data. Encryption should be used for data transmission and data at rest. Many smartphone users connect to apps in public places (think: Starbucks, the airport, etc.) and you can’t always depend on those connections to be encrypted. Developers should use HTTPS as a standard protocol, and your app should properly use and check digital certificates. Stay on top of security. App security is an ongoing issue and it isn't completed when development is finished or the app is released. Keep users informed about security updates and release frequent updates for bug fixes.