Last month, researchers published an insightful report that highlighted massive security flaws on popular Android VPN apps. In the report, researchers from Australia’s CSIRO, UC Berkley, and the University of South Wales uncovered malware in about 38% of VPN apps on the Play Store. Out of the 234 VPN apps covered in the study, about 18% failed to encrypt internet traffic and every 8 out of 10 apps wanted to access sensitive personal data.
This study is just one of the few that have exposed the soft underbelly of mobile apps. Apps have become extremely popular over the past few years, creating the perfect environment for hackers and information thieves to thrive.
While the end-user bears some degree of responsibility when it comes to protecting themselves from malware and viruses, app developers should also ensure their coding practices do not leave room for hackers to insert and deploy malicious code within their apps.
The following tips will help developers build secure apps for different mobile platforms.
- Include security as part of the development strategy from the get go
Unlike websites and other web-based applications that store data on a secure server, native applications store data primarily on the user’s devices where the app is installed. Web developers can take servers offline, conduct updates, and monitor for suspicious activity quite easily. For native apps, it becomes comparatively hard to introduce patches and security updates to the app after installation, partially because many users often ignore security updates and patches.
For this reason, it’s always important to think about security from day one when developing native apps. Consider every small detail that may affect the security of the app once it has been installed and strive to create a balance between security and app performance. Device metrics such as battery usage and run-time memory will come in handy at this stage.
- Use strong authentication and authorization techniques
Another good method of improving security for your app is by adding extra layers of security to the code. Each additional layer of security lets users verify their identity when using the app, which reduces the chances of hackers compromising the app. There are many technologies you can use to achieve this, including OAuth2 and OpenID Connect. When installed on the authorization server, OAuth2 lets you manage credentials between app users and external servers for increased security.
Additionally, you should always limit third-party API access to non-critical elements of your code. Third-party APIs introduce vulnerabilities to your app since you’re basically depending on third parties to secure your app.
- Use a good encryption strategy
Encryption is especially important for native apps because, as mentioned earlier, mobile apps store a lot of important data on the end user’s device, which makes the device vulnerable. Apps with poor encryption policies often result in data leakage, accidentally or otherwise, which may end up exposing sensitive personal data.
Encrypt your files and databases from the start to ensure your code is impenetrable. Appcelerator, the app development platform, is a good place to start for those looking to encrypt mobile databases. Implement sound key management policies and always try to redirect sensitive data like credit card information to encrypted servers.
- Secure network connections within the code
If your app will access data from external or cloud servers, ensure that you have taken sufficient measures to secure the network connection that will facilitate the data exchange. Any communication between your APIs or those from a third party on the user’s side and the servers should be secure enough to transmit the data without being intercepted.
Containerization is a popular technique that is normally used to store encrypted data. You can also use SSL, TLS, and a VPN to ensure your databases and connections are encrypted. However, with everything that’s been happening with VPNs, conduct research to ensure you only work with only the safest VPNs. Safe options here include Windscribe and PureVPN.
- Test and retest before publishing
Testing is a critical final step of app development that many developers often overlook. A 2015 study conducted by Ponemon/IBM found that less than half of a company’s apps are tested after development, with a whopping 33% of companies saying they never test their apps for potential security problems.
Conduct authentication, authorization, and penetration tests to help find weaknesses within the app. Use emulators to simulate the real-world operation of your app and prevent potential issues before they crop up.
At the end of the day, your efforts as a developer will go a long way in thwarting the efforts of hackers who are always looking to penetrate weak apps. These tips will not only let you create a safer, more secure app but will enable your users to have a fun and creative time on your app.