As mobile apps continue to grow in popularity and importance, it is imperative that developers embrace best practices to keep these programs safe. The mobile and digital landscapes are constantly evolving, becoming increasingly dangerous as hackers and other cybercriminals explore new ways of infiltrating networks and stealing sensitive data.
Writing for InformationWeek, Charlie Fairchild, senior Android developer for WillowTree Apps, recently highlighted several of the most important potential vulnerabilities that mobile app developers must avoid to ensure the cybersecurity of their programs.
Clear and present danger
One of the most significant dangers that mobile app developers must be wary of, according to Fairchild, is insecure data storage. As an example of this problem, the writer pointed to the Starbucks mobile app. The coffee company recently revealed that its payment app stores users’ names, email addresses, geo-location tracking and passwords in clear text. This presents a serious risk to both the consumers and the organization..
“That allowed anyone with access to the phone to see passwords and usernames just by connecting the phone to a PC,” Fairchild explained. “With this information in hand, unauthorized individuals would have the credentials to log in to the Starbucks website as well.”
To avoid this issue, the writer emphasized the need to ensure that the apps do not allow sensitive information to reside on the user’s device unless it is protected with strong encryption. Taking shortcuts is a recipe for a data breach.
Another important vulnerability to avoid, Fairchild highlighted, is unintentional data leakage. He noted that in their haste to accumulate user data, many businesses’ mobile apps run the risk of compromising the consumer’s privacy. If a firm’s mobile app developers do not strike this balance, there is no way of knowing in whose hands the “leaked” data may end up.
Fairchild also warned mobile app developers to be wary of enabling untrusted inputs. For example, he noted that some mobile apps determine whether or not to accept input from a source on the basis of cookies and environmental variables. The problem with this, he explained, is that cyberattackers can potentially modify these inputs, thereby appearing more trustworthy than they really are. Mobile app developers must embrace more stringent standards to avoid falling victim to such tactics.
As Fairchild acknowledged, achieving cybersecurity while pursuing mobile app development is a difficult task. He recommended that developers who are struggling in this area consider seeking outside assistance.
It is worth noting, though, that secure mobile app development can be greatly improved if firms invest in the right tools. For example, by leveraging static code analysis tools, developers can identify defects or vulnerabilities early on in the process, before they become significant problems. This significantly reduces the risk that a given mobile app will be infiltrated by cyberattackers, and therefore keeps both the consumer and the company safe from the threat of data loss or exposure.
• Read how static code analysis with Android-specific checkers helps mobile developers (PDF)
• Learn how to identify threats and apply defensive coding principles by watching our Introduction to Secure Coding for C/C++ course