1. Write a Secure CodeBugs and vulnerabilities in a code are the starting point most attackers use to break into an application. They will try to reverse engineer your code and tamper with it, and all they need is a public copy of your app for it. Research shows that malicious code is affecting over 11.6 million mobile devices at any given time. Keep the security of your code in mind from the day one and harden your code, making it tough to break through. Obfuscate and minify your code so it cannot be reverse engineered. Test repeatedly and fix bugs as and when they are exposed. Design your code so it is easy to update and patch. Make sure you keep your code agile so it can be updated at the user end post a breach. Use code hardening and code signing.
2. Encrypt All DataEvery single unit of data that is exchanged over your app must be encrypted. Encryption is the way of scrambling plain text until it is just a vague alphabet soup with no meaning to anyone except those who have the key. This means that even if data is stolen, there’s nothing criminals can read and misuse. You can understand the power of encryption when organizations like FBI and NSA are found asking for permission to access iPhones and decode WhatsApp messages. If they can’t break through willfully, hackers sure can’t.
3. Be Extra Cautious With LibrariesWhen using third-party libraries, be doubly careful and test the code thoroughly before using it in your app. As useful as they are, some libraries can be extremely insecure for your app. The GNU C Library, for instance, had a security flaw that could allow attackers to remotely execute malicious code and crash a system. And this vulnerability went undiscovered for over seven years. Developers should use controlled internal repositories and exercise policy controls during acquisition to protect their apps from vulnerabilities in libraries.
4. Use Authorized APIs OnlyAPIs that aren’t authorized and are loosely coded can unintentionally grant a hacker privileges that can be misused gravely. For example, caching authorization information locally helps programmers easily reuse that information when making API calls. Also, it makes coders’ life easier by making it easier to use the APIs. However, it also gives attackers a loophole through which they can hijack privileges. Experts recommend that APIs be authorized centrally for maximum security.
5. Use High-Level AuthenticationIn the wake of the fact that the some of the biggest security breaches happen due to weak authentication, it is becoming increasingly important to use stronger authentication. Quite simply, authentication refers to passwords and other personal identifiers that act as barriers to entry. Indeed, a large part of this depends on the end users of your application, but as a developer, you can encourage your users to be more sensitive towards authentication. You can design your apps to only accept strong alphanumeric passwords that must be renewed every three or six months. Multi-factor authentication is gaining prominence, which involves a combination of static password and dynamic OTP. In case of overly sensitive apps, biometric authentication like retina scan and fingerprints can be used too.
6. Deploy Tamper-Detection TechnologiesThere are techniques to set off alerts when someone tries to tamper with your code or inject malicious code. Active tamper-detection can be deployed to make sure that the code will not function at all if modified.
7. Use the Principle of Least PrivilegeThe principle of least privilege dictates that a code should run with only the permissions it absolutely needs and no more. Your app shouldn’t request for any more privileges than the minimum required for it to function. If you don’t need access to the user’s contacts, don’t ask for it. Don’t make unnecessary network connections. The list goes on and largely depends on the specifics of your app, so perform continuous threat modeling as you update your code.
8. Deploy Proper Session Handling"Sessions" on mobile last much longer than on desktops. This makes session handling harder for the server. Use tokens instead of device identifiers to identify a session. Tokens can be revoked at any time, making them more secure in case of lost and stolen devices. Enable remote wiping of data from a lost/stolen device and also enable remote log-off.
9. Use the Best Cryptography Tools and TechniquesKey management is crucial if your encryption efforts have to pay off. Never hard code your keys as that makes it easy for attackers to steal them. Store keys in secure containers and never ever store them locally on the device. Some widely accepted cryptographic protocols like MD5 and SHA1 have proven insufficient by modern security standards. Stick to the latest, most trusted APIs, such as 256-bit AES encryption with SHA-256 for hashing.
10. Test RepeatedlySecuring your app is a process that never ends. New threats emerge and new solutions are needed. Invest in penetration testing, threat modeling, and emulators to continuously test your apps for vulnerabilities. Fix them with each update and issue patches when required. The iconic data breaches of 2017 like WannaCry and NotPetya have definitely gotten everyone to rise up and take notice of the importance of cyber security, and the coming years will see everyone from organizations to consumers taking security more seriously than ever. Security will become a bigger differentiator in the success of apps than usability and aesthetic appeal. The above guidelines will help you keep your app security tight as an oyster and keep your clients and users happy.