Mobile app security best practices for product managers
Your customers entrust you with a considerable amount of private information within your apps.
A single data breach by a malicious third party can result in both reputational and legal problems for your app and company, not to mention the costly effort of finding and fixing the exploited vulnerability.
That is why product teams must be diligent in practicing good in-app security hygiene. Here are some best practices to follow that will help you to minimize the number of security vulnerabilities in your app.
Please note, though, that this is far from an exhaustive list of security considerations, and each app’s security requirements are different.
Balance app security with usability
User authentication sits squarely at the intersection of security and usability.
Many apps require their users to log in before using the app. In some cases (for example, social media apps), users only need to log in once and the app keeps those credentials until they are changed elsewhere. In other cases (for example, banking apps), users need to log in and enter their passwords every time they open the app.
When building an app, you need to balance security with usability.
Requiring a password to enter an app increases security but also increases friction. Biometrics like Touch ID or Face ID make this easier on the user but can complicate the user experience. You need to design when biometrics will be used, how it interacts with your username-and-password-based login screen, and what to do when biometrics fail or are unavailable.
Protect user-generated information
Apps are built to handle user-generated information. This can be any data that the user enters into the app. This can also include any information related to the user that gets pulled down from the network.
If the information is stored on the device, you should use the highest encryption setting possible given other requirements (see this article for details).
Be aware that the networking subsystem of your app may cache network requests and responses. If this contains sensitive data, you will need to adjust your cache policy or encrypt the cache. Usernames, passwords, cryptographic keys, and other highly sensitive data should only be stored in secure storage, like the iOS Keychain.
Most apps communicate over the internet with a server. Therefore, keeping data secure while being transferred across the internet is important.
At a minimum, your app should use the Transport Layer Security (TLS) protocol to protect the data being sent and received. In many cases this is sufficient. However, there are tools like Charles Proxy that allow users to inspect the contents of TLS-encrypted communications on their devices. The man-in-the-middle (MITM) approach used by Charles Proxy can also be used by an attacker on an unencrypted Wi-Fi network to intercept and record TLS-encrypted communications.
To mitigate such attacks, apps can perform validations on the server’s certificate chain to ensure that communications have not been tampered with. This process, known as certificate pinning, will only allow communications with a server if its certificate meets certain criteria. While this mitigates the risk of a MITM attack, your system needs to take into account many new failure modes that this can introduce. Also, the use of certain VPN software (for example, Zscaler) can interfere with certificate pinning.
Sometimes the certificate of a server will be revoked or updated — if your app is only pinned to the server’s old certificate, this will require an update to allow it to continue to connect to that server.
Screen privacy on mobile apps
Screen privacy is an often-overlooked area of app security. iOS takes a screenshot of your app when it moves to the background and shows that screenshot when using the multitasking app switcher.
If your app shows sensitive information on the screen (e.g., a bank account balance), you should obscure the contents of your window when entering the background. Otherwise, that sensitive information will be stored as an image in the operating system and will be visible any time the user is switching between apps.
The easiest (and most cost-effective) way to practice good app security hygiene is to do it early and proactively.
Get your team thinking about security best practices from the very beginning of the project. For instance, try using STRIDE modeling to help identify any potential vulnerabilities in your app’s ecosystem. You should do this before any UI has been drawn up or any code has been written to help inform your team’s design choices.
More Insights?View all Insights