App Security – More Important than You Think

Did you know that the majority of top apps in both the Google Play and Apple App Store have been hacked?  In other words, if you App goes viral it may not be a question of whether you’ll be hacked, but when.  One breach could cost millions along with your App’s reputation.  App security is not an option; it’s a necessity.  With so much at risk, let’s explore what developers do to build security into their apps.

Secure the Code

Code vulnerabilities are the starting point for most hackers.  They exploit vulnerabilities by reverse engineering your code using free decompilers.  The scary part?  All they need is a public copy of your app to do it.  Harden your code, through obfuscation and minification so it cannot be reverse engineered at the click of a button.

Encrypt, Encrypt, Encrypt

Encrypt all data exchanged through your app – i.e. make sure all hackers get if they do find a vulnerability is meaningless encrypted alphabet soup.

Careful With Libraries

Code libraries can save developers hours of coding, but at what cost?  Some libraries can be extremely insecure with security flaws that could allow attackers to remotely execute malicious code.  Where possible, use controlled internal repositories and exercise policy controls when acquiring code.

Strong Authentication is your Friend

Only accept strong alphanumeric passwords that must be renewed regularly. Multi-factor authentication is also a powerful protection mechanism such as dual verification through SMS. Today’s devices even allow biometric authentication for high-security scenarios.

Least Privilege is Best

Code should only run with the permissions it needs.   If you don’t need access to the user’s geolocation or contacts, don’t ask.  Never make unnecessary connections or access unnecessary information.  If you don’t have access, you can’t let anyone else in the door.

Tokens Expire for a Reason

Use tokens instead of device identifiers to identify a session; they can be revoked at any time and also enable remote data wipes and log-offs.

Don’t Leave the Key in the Door

Never hard code your keys; store them secure containers and never on the device.  Use the latest encryption APIs – i.e. 256-bit AES encryption.

Remember Yahoo

Make sure your developers are already following these guidelines or you could be the next Yahoo – 3 billion user accounts and $350 million dollars later.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *