Users expect mobile apps to be a perfect platform backed with security, user friendly interface and unerring performances. Delivering one such piece with all prerequisites needs adherence to some guidelines.
In our previous blog – Guidelines for Mobile App Development-I we enlisted areas of Data Storage, Server Side Control and Transport Layer Protection to ensure security during the development stage of mobile application.
In this blog, we’ll attempt to describe more such elements to be considered for mobile app development. These include:
- Authorization and authentication
- Data Leakage
Authorization and authentication
A mobile application is a true reflection of web portal on a browser with all features, functionalities and content. Hence, the authorization and authentication should also be none the less to it.
Here are some quick tips on it:
Development must be guided by the primary principle of ensuring sufficient server side control. For successful authentication the details must get authenticated from server side, upon successful authentication application data must be loaded on mobile device.
In a situation where client side storage of data is required, the data must be encrypted using an encryption key and that key secured derived from user login detail.
Mobile applications should not store user’s password on device, even in cases where remember me or persistent authentication functionality is implemented. A device specific authentication token that can be even revoked must get employed to ensure that app can do away with probability of unauthorized access specially in case of theft.
The persistent authentication must be implemented as optional feature rather than default functionality. Further, authentication employing device identifiers or geo locations and 4 digit pin numbers must be avoided.
A mobile app’s functionality varies from one to another, some can be operated only when you are online while others can be used being offline as well. In cases where offline usage exists then authentication is required to be done locally. Hence a local integrity check with code to identify unauthorized access must be instrumented.
Cryptography and data security compliment each other. Unfortunately, the concept of data encryption still remains a jargon, difficult to comprehend for some developers. As a result, the encryption employed by them does not always serve the purpose. As a result, the developers either use weak algorithm or a strong encryption gets implemented in an insecure way. This is just like parking valuables in a locker and keeping the key right close to it, where anyone can find. This does not do anything good.
We come across certain mobile applications being developed with simple encoding methods to protect sensitive information. This leaves data security vulnerable for attacks. Splitting key between client side and server side can be the game changer to avert such threats.
At developer’s end modern algorithms considered strong by domain professionals along with state of art encryption APIs can be the way out. While testors must ensure application of information protection methods while assessing the security concerns. An investment in manual analysis, penetration testing and threat modeling can also serve the purpose.
Brands and businesses look forward to map personal details to customize and personalize marketing offers. Designing tools to gather and target consumers is one set of job, securing the data that has been collated is another and remains crucial.
In a healthcare app, the necessity of data security mounts further with probability to access analytics and patient details that can place service provider, as a violator of HIPAA compliance.
Be cautious while selecting analytics providers and implementing advertising campaigns. Observing data movements can give attacker a mine of data and records.
Implementation of a secure content management solution also makes sure that data leakage gets checked.
Coding must be so done that ensures no instance of data leakage occurs through URL caching, keyboard caching, copy/paste buffer caching, logging and HTML5 data storage. Further, while employing analytics tools, one must take care that crucial data of users isn’t shared with third parties.
Employing these tips during the development stages can enhance the security factor by leaps and bounds as it is essential backing mobile applications with host of measures to avoid attacks.
Designing an app with user friendly interface and eye catching pages is like icing on the cake. However it is futile, unless built with strong measures to protect the data of users. Just like the right temperature affects your cake, the right security measures will affect your mobile app experience.