Market Watch

Building A Secure Mobile Application: A Tech CEO’s Thoughts

December 2016. Yahoo revealed a hacking group had accessed the account information of over a billion of their users in 2013. A year later, the company confirmed the number was not one but three billion.

November 2019. An affiliate marketer scraped 1.1 billion pieces of user data from a Chinese shopping site — Taobao. The data included usernames and mobile numbers. He served three years in prison.

June 2021. LinkedIn confirmed a hacker posted data of 700 million users on a dark web forum. The number translated to over 90% of LinkedIn’s user base. 

The aforementioned scenarios make companies lose money and credibility. Furthermore, security concerns are one of the reasons users delete apps. Thus, never let them happen to your app. In the next five minutes, learn all the techniques to build a safe mobile app. 

A secure code solves security issues

Hackers affect over 11.6 million mobile devices at any given time with malicious code. They use bugs on a code and reverse engineer the code. All the hackers need is a public copy of the app.

Thus, use the below-mentioned techniques to secure the code.  

  1. Use HTTPS

Hypertext Transfer Protocol Secure (HTTPS) combines two protocols — Hypertext Transfer Protocol (HTTP) and SSL/TLS protocol. The protocol sends encrypted requests to the server. 

The encryption keeps the traffic visible but as streams of random bytes. Hackers won’t see the traffic as plain texts such as links, passwords, HTML, among others. Thus, the data will be worthless to hackers.   

  1. Use the POST method over the GET method to send sensitive data

The GET method exposes information as part of the URL. Thus, hackers can steal the information via browser history, cache, or server logs. Hackers can modify the data submitted to servers. Furthermore, hackers can mail malicious links to end-users as well.

The POST method never exposes information in the URL. Furthermore, the POST method never allows sending a malicious link over email.  

  1. Accept valid SSL certificates

SSL certificates establish encrypted HTTPS connections. However, the connection remains secure only if the web browser validates the SSL certificate. 

If the web browser never validates the SSL certificate, hackers can access any data users send and receive. Furthermore, hackers can change the data as well.

Thus, always use valid SSL certificates. Check the following to make sure the certificate is valid:

  • The SSL certificate is not self-signed
  • The certificate has not expired
  • There is a known root certificate 

Encryption is the key

December 2015. A terrorist attack in San Bernardino, California, killed 14 and injured 22. FBI retrieved an iPhone 5C from one of the perpetrators. The data on the phone was encrypted which the FBI could not access. 

FBI asked Apple to decrypt the data. Apple declined. FBI had to file a lawsuit and pay an unidentified third party over a million dollars to retrieve the data.

If the FBI cannot override a kind of encryption, you must know how crucial it is. 

Thus, choose encryption over plaintext data. You can use techniques such as AES-256 encryption and Transport Layer Security (TLS) to encrypt data. Furthermore, store only the scrambled version of the data in the servers.  

Using third-party libraries? Be cautious

2018. A new developer took over the famous JavaScript library, Event-Stream. The new owner installed malware in the library. His intention? Stealing Bitcoin from Copay wallets and Bitpay. The malware affected the data of over 8 million users.

You won’t want the same to happen to your app. Thus, evaluate third-party libraries before using them. Here is how you can evaluate.

Check the ratings and reviews of the candidate library. See how many times users complained about an issue. Furthermore, check how severe the issues were. 

Analyze the code and see whether it is well-structured. Can you find an up-to-date and comprehensive Readme file? Is the library well-documented? A stable library with fewer bugs translates to good code quality.

Run a background check on the author. Is the author active on Github? Does the author fixes bugs, accept pull requests, and responds to issues? If yes, choose the library. 

Furthermore, choose an open-source library. Why? If the library is not open-sourced, the library poses a security threat. You cannot debug or assess the performance or quality of the library as well. 

Authorized APIs strengthen app security

Companies that use authorized APIs include Amazon Web Services, Dropbox, and Twitter. If these tech giants use authorized APIs, so should you.

Need more reasons? Here are some. 

Unauthorized APIs allow hackers to make unlimited API calls without registration. You won’t ever track who used your API or what endpoints they used. Furthermore, hackers can make DELETE requests on another account. Thus, all your users can lose their data.

Authorized APIs allow calls only from registered users. You can track who is using the API as well. You can create different permission levels for different users. Furthermore, you can throttle or block a requester who has exceeded the rate limits.

High-level authentication = less worry

Build apps that accept only strong alphanumeric passwords. These are the passwords that have letters, numbers, and special characters. Furthermore, the app should prompt the user every three or six months to change the password.

Furthermore, use multi-factor authentication. The authentication process uses a combination of a static password and a dynamic OTP. Furthermore, you can use biometric authentication such as fingerprints and retinal scans as well.

You can use transaction signing as well. In the process, to authorize a transaction, the backend sends a push notification with the transaction details to the app. The user needs to confirm or deny the transaction. After confirmation, the user must enter a PIN or fingerprint, as per the authentication process. Inserting the PIN or fingerprint completes the process.   

Use tamper-detection technologies

Tamper-detection technologies prevent attempts to analyze app functioning. Furthermore, the technologies never allow hackers to modify app behavior at runtime as well.

With tamper-detection technologies, you can check the environment where the app is running. You can monitor the integrity of the app. Furthermore, the tamper-detection technologies trigger the apps to react against detected threats as well.

Furthermore, you can choose how the app reacts to detected threats. The app can display a warning message, limit the user functionality, or terminate a user session.

Test security on each stage of building the app

TechRepublic confirmed only 40% of mobile App developers pay attention to app security.

New security threats will always emerge. Leaving these security threats untreated makes user data vulnerable. One attack from hackers and you can lose both money and credibility.

Thus, fix bugs with every update. Deploy patches whenever needed. Furthermore, use emulators, penetration testing, and emulators to check for vulnerabilities. 

Security tests not only keep your app safe, but the tests also allow you to save up to $150k on bug fixes each year, as per SmartBear. 

Sacrificing app security will end up hurting your business

43% of organizations never invested in mobile security in 2019, as per the Verizon 2020 Mobile Security Index. Furthermore, the chances of these companies experiencing a security threat were double than the companies who invested in mobile security.

Thus, never be one of that 43%. Build a safe mobile app your customers can trust.