App developers beware. Hackers now know that apps lacking robust security controls can be the back door to PCs and enterprise systems. According to the CYREN 2015 Cyber Report, 1,076,390 new android malware were identified in Q1 of 2015 as compared to 790,000 in Q4 of 2014-a 36% increase. So, if your business model involves an app and you don’t want to be the cause of tomorrow’s front-page data breach story, it’s time to start taking security seriously. Here are some of the things we advise our clients to consider when developing and maintaining their app:
Think About Verification
Chances are, someone using your app will lose their phone or have it stolen. Additional odds that one of those phones will not be password protected-a potential goldmine for the would-be hacker. Your app may be the last line of defense. What kind of authentication procedures will you have to prevent unauthorized access? Are strong passwords required? Is two-factor authentication in place? How will failed logins and lost passwords be handled? Will you be able to weave in even newer technologies, such as app coding to block access from jail-broken phone? These are just some of the questions to think about and discuss with your developer before coding begins.
Remember to Plan Storage and Encryption
The storage of unencrypted data on a mobile device should be avoided whenever possible. If local storage is absolutely necessary, make sure data is properly encrypted. Data in transit should be encrypted as well. Apps that allow the transmission of unencrypted or weakly encrypted data create additional vulnerabilities to attack.
Secure Coding Should be Top of Mind
Make sure your developers are security minded. They should be consciously thinking about their coding and testing it along the way in order to ensure your app doesn’t contain vulnerabilities that can be exploited once you are up and running.
Threat Modeling: Think Like a Hacker
Threat modeling is a process of assessing and documenting a system’s security risks. The goal is to examine your app’s security protocols through the eyes of your potential foe. Ideally, if this process is done carefully, your app’s weaknesses will be identified and appropriate security safeguards can be built in before anyone has time to capitalize on design weaknesses.
Penetration Testing as an Additional Safeguard
Penetration testing is a process of testing your applications for vulnerabilities in order to understand what a hacker could do to harm an application. An effective penetration test will usually involve a skilled hacker, or team of hackers. Is this something worth considering for your enterprise?
Bug Bounties: A More Cost Effective Alternative?
While penetration testing is a good practice, it can be expensive. An alternative may be to set up a bug bounty program, offering a monetary reward for finding software bugs and reporting them to you. Bug bounties have become very popular in recent years and have been adopted by the likes of PayPal, AT&T, Google, and Tesla. Most companies offer bounties on a sliding scale based on the size of the organization and how much user impact a bug might have. On the upper end, Facebook recently reported that it had 17,011 bug bounty submissions and has paid out more than $3 million since their program was started in 2011. Downside of a bug bounty? If not adequately staffed, your company could be overwhelmed with bug bounty submissions especially if there are an excessive amount of bugs existing in the app. Filtering through duplicate and invalid submissions can be a time-consuming activity as well.
Patch Management/Open Source Awareness
Once your app is up and running and the initial bugs have been screened out, your work has just begun. Software needs to be regularly monitored and updated to ensure vulnerabilities are addressed. Don’t forget, even if you your software is proprietary, chances are there is open source embedded within your product. Make sure someone is aware of what’s there and you have a means of keeping up with updates and patches.
Unfortunately, in today’s security breach era, mobile apps are no longer immune. Your mobile app should be seen as an extension of desktop software. It should be afforded the same level of attention when it comes to security testing.