It happens once a week or so. Twitter lights up and Facebook is abuzz with news of another embarrassing and potentially costly mobile security failure. It happened to Apple. It happened to Snapchat. It happened to Starbucks.
Too often, developers get caught up in perfecting an app’s functionality, and forget – or neglect – to do the meticulous security testing that should be de rigeur. In fact, a recent study by web security company Cenzic found security flaws in 96 percent of apps tested.
The problem is, perfecting the functionality is much more, well, fun. And when security works, few people notice or care. Getting it right is a thankless task. Thankless, but essential. Because when it doesn’t work, it can cost you money, customers, and respect.
So can you do about it? Talk to your developer. Here are our top five security concerns to get the conversation started:
- One size does not fit all: As we wrote last week, developing for Apple’s iOS and developing for Android’s multitudinous versions are very different experiences. It is vital that your developer – whether in-house or outsourced – have a plan of attack (or defense, really) for keeping your apps secure on both platforms.
- A failure to communicate: It may seem obvious, but recent events show the practice is not as universal as it should be: Secure your communications. Anywhere information is sent our received should be protected using SSL. And there’s no need to get fancy with your encryption; there are plenty of encryption options that have been painstakingly developed and vetted by experts, so use their hard work to your advantage.
- Photos, finished?: An increasing number of apps function on photos. We’re depositing checks, refilling prescriptions, and filing insurance claims by snapping pics. And, as Walgreen’s recently learned, sometimes those highly sensitive photos don’t disappear they way they should after they have served their purpose; instead, they get caught in a temporary cache that savvy hackers can find and exploit. If photos are part of your plan, make sure your app is disposing of these pics securely, quickly, and completely.
- Log logic: An app’s log keeps track of events that happen in the program; the information can be used to improve performance, understand how consumers are using the app, or troubleshoot problems. Not everything that can be logged should be logged, however. User names, passwords, and other private information is best kept out. Ask your developer to be clear about what is being logged and why.
- Watch your back: Keeping devices secure as they run your app is important. Imperative even. But it isn’t everything. Any data stored on the backend needs to be protected too. Don’t neglect to talk to your developer about how to ensure security everywhere data might hang out.
The upshot is this: Ask questions until you are satisfied. Talk early and often and never be afraid to pose just one more question. Your security – and your reputation – could be at stake.