Mobile app security

Just how safe is that mobile app you’ve just downloaded? Some worrying statistics here.

How secure is that app you just downloaded?

““Around 79% of the tested apps had network security misconfigurations while 78% lacked adequate code obfuscation which opens the door for hackers to reverse-engineer code. Another 42% missed out on sufficient transport layer protection when sharing data from an app to a server via unprotected channels. “

— Business of Apps

We’d all like to think that an app we downloaded from the App Stores was safe. As a matter of fact, most of us download apps without a second thought to security.

However, according to a recent article on the respected Business of Apps site, 75% of Indian developed apps on Google Play pose a serious security risk, without even basic security checks being in place.

Out of the 2,976,112 apps on Google Play, more than 157,313 are from Indian publishers.

More details from the survey (conducted by mobile app security specialists Appknox) can be found here.

If this sounds slightly worrying, remember how many apps incorporate some kind of payment layer. With your details on them.

MOBILE APP SECURITY

Writing any software which goes out into the public domain isn’t merely a case of “writing the software”, it’s ensuring that the software is completely safe and doesn’t contain any data leaks, back doors or any potential security issues which a malicious third party could potentially exploit.

Mobile apps have become much more complicated over recent years. With more functionality expected by users, apps rely on complicated third party libraries and more complicated architecture. The more complicated an app, the more complicated app security becomes, with an inevitable, and expensive test regimen needing to be put in place at the end of any production cycle.

To ensure that all these components are integrated in a secure way takes time and hence money - in an environment where apps are being built for the lowest cost possible on an almost “production line” basis.

If your developers are working in an environment where they’ve learnt a subject by rote, without having to think, and are merely working for the money - which is occasionally determined by how many lines of code they’ve written that day - you’re not going to get a quality app as safety and security are never going to be major considerations. And this is unfortunately the standard for a lot of outsourced development in countries who compete against their Western counterparts on cash terms - “you get what you pay for”.

COMMERCIAL IP

Not only does mobile app security affect normal users, it’s also vitally important to protect intellectual property as well. If you’re a commercial enterprise, giving a malicious user a back door to your corporate and client data is definitely something you want to avoid.

SO HOW DO I KNOW IF MY APP IS SAFE?

If you’re commissioning a mobile app, or have an existing one in the Play stores, there are some simple steps you can take to ensure that your mobile app is safe and secure for your users.

  • If the price seems to be too good to be true, it probably is. We all want the cheapest apps possible, but “cheap” almost invariably means that corners will be cut. Shop around, use a review site like Clutch.co to find a number of developers in an area - compare prior client reviews and prices.
  • Go on the developer’s site and see where their offices actually are. A lot of development companies use “virtual addresses” to get location pins on Google Maps. It might look like they’re local, but might not be the case. This is endemic in software development, by the way - smoke and mirrors time.
  • Whilst on Clutch, be very wary about providers with lots of reviews which all seem to follow the same format. Has a client written them, or has the developer written them themselves? Check references.
  • Make sure that a developer will issue a Statement of Work which details what security measures are being written to the app and what the testing regimen is for the app. Check the testing is done and with satisfactory results. Ideally, pay a third party to perform the testing.
  • Ask for the source code. You own it, after all - it’s your intellectual property. If you have any worries about your app, have a third party check it.

If you’re a user and worried about app security, it’s a little less cut and dried. Check reviews on the Play stores, find out who wrote the app. Check, check, triple check.

WHAT CAN FORESIGHT DO FOR YOU?

In a race to the lowest possible price, quality is always compromised.

If you'd like a security check up for your overseas designed app, mail us - hello@foresightmobile.com - our expert developers and designers can ensure that your app has been properly built with no data leaks, back doors or server transport issues.

Mobile app security

Dave's IT background goes back "to the beginning of time" and has worked with some leading technologies and brands during his professional career