Cybercrime could be the end of an online business and mobile apps are in the crosshairs of hackers. As @ibmsecurity recently wrote, “It’s a mobile “Wild West” out there. The use of mobile devices continues to climb: There are already more Internet-connected mobile devices, such as smartphones and 3G/4G tablets, than humans in the world”. Plus, with the public adoption of cloud storage and the great convenience of interconnected ecosystems, companies that fail to secure vulnerable apps put consumer data at risk.
If your customers trust you enough to hand over their personal details and bank account numbers, you owe them a duty of care to protect their private information. Fail and you lose their trust and their business.
Include security code from the get-go
Attempting to remedy security vulnerabilities post production of your app is complex; which means it takes longer to fix and is more expensive. Effective secure development lifecycle(SDL) codes should be included from the beginning rather than shoehorning updates after launch - or worse, fixing the breach after the damage has been done. Nobody will purchase an app with a breached history anyway.
Look for design flaws in existing apps
To protect your apps from hackers, think like a cyber criminal. Look for vulnerable gateways that might be exploited in the design and the architecture. Vulnerabilities can be fixed by adding extra layers of code to app functions. Don’t simply rely on implementation testing. Use cryptography, logging and best development practices, assess threat modeling, limited source codes, data flow diagramming, vulnerable gateways in the network and design documentation. Although this is mostly paper based assessment, careful analysis can identify systemic flaws.
Evolve the ecosystem
Every time a company adds a new application to the database, it is one more item for your security system to take care of in the system. Tech ecosystems naturally grow pretty quickly over time, and when a company’s IT gets bigger it becomes weaker. The bigger they are the harder they fall. Don’t allow your security measures to become strained. Balance controls, interactions and potential weak spots to minimize the surface area and reduce the risk of attack.
Keep a record of access control policies
As your eco system evolves, keep track of updates to security perimeters. The reason for this is because every time you open inbound ports and add new users, you weaken security. Given it is customary for IT staff to move on to other jobs or responsibilities, the holes that are left in your security perimeters can easily be left wide open.
Apply adequate security controls
Hackers use automated tools that hunt down new apps and websites then deploy their malware ridden bots to retrieve data. The general public are largely unaware of the dangers hackers present and although they are responsible for their own security measures, do not usually do enough to secure their accounts. Companies can help protect their customers by reinforcing the infrastructure and giving detailed instructions how end-users can improve the security of their account – even to the point of refusing to store security passwords that are not considered strong enough.
Given the high-stakes involved for online firms, increased security measures should be topping your list of priorities – especially when developing apps that will be downloaded to mobile devices of loyal customers you rely on to stay in business.
For more information on app security and all the latest and greatest from the World Wide Web, follow us on Twitter and check out our regular blogs.