Mobile app security: Great apps can be safe, too

By Jonathan Hassell

Mobile apps are a fantastic symbol of progress, allowing users to engage with your company and be productive on the go. With more devices connecting to your services, however, it is important to understand some of the basic tenets of mobile app security to ensure that you benefit from having rich, enjoyable apps while still maintaining system and data integrity.

Containerization

One of the biggest problems companies and developers face when addressing mobile app security is figuring out how to securely store sensitive user data. You need to make sure your app’s conveniences do not come at the cost of exposing private or personal information, especially users’ names, passwords, credit card information and credentials. If your app stores information in an unprotected part of the phone or an unencrypted file, outsiders can defeat its security simply by connecting the device to a computer and browsing its file system.

For enterprise apps that employees use as part of their daily routines, consider containerization. These solutions ensure security by partitioning off a section of a device’s storage so protected information can stay isolated in that one location. If an internal device is lost or stolen, enterprises can wipe the proprietary information in that container remotely. Further, encrypted data is protected in such a way that potential thieves cannot use the information maliciously, even if they have the physical device.

Encryption

For apps that your company is developing, either for internal or external use, have your developers use each mobile platform’s respective features. On some devices, you can store information in the encrypted sections of keychains or the internal app-data folder. This greatly improves the mobile app’s security.

Additionally, it’s also very important to create an app that uses a sufficient level of encryption. Several common methods already have been broken or are simple to compromise, including MD5, SHA1 and AES-128. Most security experts agree that using AES encryption with a 256-bit encryption key is sufficient. To hash passwords, keys and other secure information, use SHA-256. Further, be sure to safely manage the private decryption keys for already-secured data.

Input Sanitization

Consider how your app collects information. Does it pull data from outside sources, such as external referrers, third-party systems or another fashion besides user input? If so, then this may represent another potential threat vector in your mobile app security structure. Make sure that you conduct proper range checking and input sanitization to ensure that no attacker can exploit users’ information. This is especially important if your app is used in sensitive industries such as health care, finance and government.

This information is important. Mobile apps can increase customer engagement and retention, as well as employee productivity. However, you must also pay attention to mobile app security. Your tool can have many great features and capabilities; yet, CIOs and end users alike will raise questions about how you conduct data encryption and key management. As long as you take the right steps, including separating public and private keys, using security tokens wherever possible and, in general, handling security in a careful manner, then you will surely win over potential users.

Written By

Jonathan Hassell

President, 82 Ventures

Jonathan Hassell runs 82 Ventures, a technical writing and consulting firm based in Charlotte, NC. He centers his focus around network administrator, security, the cloud, and mobile technologies.

Other Articles by Jonathan Hassell
See All Posts