Mobile security app-titude best practices for secure app design and data privacy

Mobile app security can be very challenging. It’s an attack surface that is often an easy place for hackers to gain access to sensitive information. After all, we use our mobile devices for almost everything from our work to personal lives, and they end up storing an enormous amount of data. This puts them at risk for a serious breach. It also has the potential to negatively impact your company’s relationship with your clients, as the expectation is that you will protect and respect their privacy.

But mobile app owners and developers are receiving a failing grade on due diligence and protecting consumer data.

• Developers aren’t writing secure code because they are not taught to do so, nor do they think about how hackers could access and use the code/data they create.
• Developers are not trained in agile and security best practices to address vulnerabilities before they become a problem.
• Most organizations are struggling to balance agility and security and are not implementing security by design.
• Security and development teams do not have access to the right automated tools and platforms that help establish an effective cybersecurity program.
• There is a lack of awareness and visibility into how third-party apps are using, sharing, or selling the data they collect.
• Business leaders and app owners are not providing enough transparency on how they protect personal data, nor are they providing guidelines on how to have more control over data usage.

As a result, mobile apps do not do a good job of protecting personal data. According to the “Vulnerabilities and Threats in Mobile Applications, 2019” report from Positive Technologies, insecure data storage is by far the most common vulnerability identified in applications, with 76% of those examined found to demonstrate this as a security risk, potentially putting the privacy and security of users at risk.

Why PII security matters

Data breaches are becoming everyday news, and the ramifications of data breaches can be far reaching and last for years. A substantial number of hacking attacks are enabled by exploited application security vulnerabilities. Cybercriminals often go after users’ personally identifiable information (PII), user credentials, and financial and medical information to perform multiple types of frauds and identity theft.

Eduardo Cervantes, former manager of Sentinel Mobile at WhiteHat Security says, “The impact of data abuse can be on individual level, business level, or societal level. An individual could be a subject of identity theft, fraud, or a serious crime if a malicious threat actor lays hands on personal data that’s collected by your app. On a business level, it could be competitive situation where one app leverages user data to gain an unfair advantage. Social impact can be immense and far reaching. Take, for example, the Cambridge Analytica data scandal where the political firm accessed private data of millions of Facebook users to influence elections. It’s important to protect user data and be aware that your app could be contributing to a much larger problem if the stored data can be hacked, stolen, or leaked.”

Collecting large datasets creates increased risk, and most security teams and app developers are not aware of best practices on protecting PII and the implications of sensitive data sharing.

Security by design

Most apps collect data that far exceeds what is necessary for the app. Use these best practices to reduce the risk to user data.

• Collect data only what is required.
• Collect in a responsible way. Know the difference between sensitive and nonsensitive data.
• Secure the collection and storage of the data.
• Evaluate how long you should retain this data.
• Practice rigorous vetting of third-party providers to check on how they use the data that you collect.
• Above all, educate developers on secure coding practices.

Security best practices must be developed even before planning the design and coding. How can you make your code less vulnerable? Test for vulnerabilities throughout the software development life cycle. Implementing security by design and providing the right tools to your developers to vet the apps earlier in the life cycle helps prevent security gaps as the applications are designed, developed, and tested.

Security engineers, mobile app developers, and mobile app business owners must all take steps to implement guidelines and best practices on the collection, sharing, and storage of sensitive data. The more the developers integrate security into the design, the safer applications will be when they are pushed to production.