More and more companies developing their own mobile apps take the extra step to ensure mobile app security — and for a good reason.
According to the 2021 annual report by the Identity Theft Resource Center (ITRC), the year 2021 was a record high in the number of data compromises — 1,862 instances. At the time of us writing this article, in three quarters of 2022, the center reported 1,291 data compromises so far. That’s data on publicly disclosed breaches in the US only.
On average, a data breach can cost a company suffering from it around $4.35 million (global average), as per IBM data from 2022. Add to it the tremendous blow to reputation if the information of the breach becomes public. When looked at like this, it downs on every entrepreneur that data security is important.
In this article, we talk about the importance of implementing solid data security practices into mobile apps and how to do it right. We draw upon our experience in developing security-focused products like our messenger app for the Middle East region.
What is data protection in the modern sense
The rapidly digitalizing world is crazy about data security (rightfully so) and today, we have numerous laws of national and international kind, implemented for the sole purpose of protecting proprietary information. All of them are built based on the same principles, more or less. The most well-known international law of this kind is probably the General Data Protection Regulation, or GDPR for short.
GDPR is built on the following seven principles for processing personal information:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
If we were to summarize these principles without quoting the whole Article 5 of GDPR, implementing data security measures means that any data shall be:
- collected and processed in the minimum necessary amount
- stored for only the necessary period and then deleted
- used only for specified purposes, and
- protected from data theft or tweaking by any parties aside from the data owner
Data collectors must also notify users about the collection and processing of their data. The data collector and processor are to be accountable for compliance with these principles.
What mobile app users' data usually needs to be protected?
We’ve all seen messages about cookies in browsers, but no such thing exists in mobile apps. At the same time, mobile apps can collect, store, and process way more sensitive information than website users don’t log into, for example. The use of such data poses a potential for some real harm if compromised.
So what kinds of user data a mobile app owner needs to protect? Here’s a non-exclusive list of sensitive data:
- Personally identifiable information. This includes ID/driver’s license information, physical addresses, and phone numbers. Such information is frequently used in e-commerce apps since to send a package, the seller needs this information. Some delivery apps store door lock key codes in their apps, potentially opening apartment buildings to robbers.
- Personal health information and medical records. Telemedicine apps and some health and medicine intake trackers (e.g. those aimed at people with chronic ailments), sometimes sync with EHR systems and can deliver data from users to their doctors. Other times, the app might only store data without transferring it; the user might, at their discretion, show it at a later date to the doctor.
- Payment card and banking information. Although these days, most apps use G Pay and Apple Pay for processing payments, it’s still not unusual for some of them to store credit card information in the app, especially when users prefer to not connect system wallets to their cards. If this is the case, app owners must go to great lengths to protect such data.
- Social security numbers, insurance information. Apps that deal with insurance store users’ social security numbers and insurance information. Such information is considered sensitive alongside personally identifiable information.
All this information might be stored in user profiles in mobile apps to be used for the app’s purpose — making purchases, maintaining health, managing personal activities, and more. And if such data is stolen from the app’s servers, it can be used for identity theft, fraud, phishing attacks, robbery, and more crimes.
Hence, if you’re developing an app that must deal with one or several kinds of such sensitive information, it is your duty as the app’s owner to provide sufficient app customer data protection.
There are several ways to ensure data security for mobile apps, to which we will switch later. First, we’d like to highlight some of the latest cases of data leakage.
Latest popular cases of user mobile app data leakage
As we’ve mentioned at the beginning of this article, 2021 was a year with a record high number of data breaches. A number of those involved mobile apps. Here are just some of them.
Android users data leak
This breach wasn’t of one specific app. Instead, it involved numerous apps. At least twenty three apps were affected, but there might have been more. However, the number of affected apps is not what important, actually.
What is important is the cause. A number of app developers didn’t pay enough attention to configurations of their third-party cloud services, which resulted in exposing personal data of over 100 million of Android users. The data exposed included personally identifiable information like names and addresses as well as medical information, photos, payment information, and phone numbers.
In February 2021, multiple outlets reported a case where a Chinese developer created an open-source app that allowed web and Android users to access the iOS-only Clubhouse app. People could listen to any Clubhouse streams without having either an iPhone or an invite code, which was another point of contention when it came to Clubhouse.
While this breach didn’t seem to be of a malicious sort initially, it did expose holes in Clubhouse’s security and allowed anyone to access private discussions.
Klarna payment app
Swedish mobile banking app Klarna suffered a data breach in May 2021, which was dealt with swiftly, though, and reportedly failed to cause any significant harm. The essence of the breach was that users logging into their accounts were briefly logged into other — random — users’ accounts and could see their account information.
Facebook is notoriously known for its major data breach scandals. The Cambridge Analytica scandal in 2016, data leakage of 2019, and the latest 2021 leakage that was said to exploit the same vulnerability that was supposed to be fixed in 2019. The result? 533 million users from all over the world had their data leaked.
Portpass COVID certification app
A private app aimed at allowing users to prove their vaccination status in Canada had had personally identifiable information of its users exposed on its unprotected website. The data included photos of driver’s licenses and passports, names, addresses, phone numbers, and even blood types of users.
Core types of data security controls
Access control, or access management, is the simplest among the components of data security. As the name suggests, it means that you limit access to spaces where the data is stored to as few people as possible. Only employees that require such access to perform their duty can have the ability to obtain the data, and such employees need to be carefully selected.
Proper authentication for your mobile app will help set up some protection against leaks and breaches on the users’ side. If your app deals with sensitive data — financial, health-related, or personally identifiable — the process of logging into the app needs to have safeguards in place. For example, facial recognition, fingerprint scanning, and two-step authentication via short-term codes to email.
It’s one of the GDPR principles to store sensitive user information on servers only as long as it’s necessary to provide services. When the need for this information subsides, the data shall be erased. After all, data can’t be hacked or leaked from servers if there’s no data there.
One of the surest ways to protect user data in your mobile app is to employ end-to-end encryption. This way, an accidental data leak becomes almost impossible since the data won’t make any sense without decryption keys. Hacking such data will also be much harder, especially if decryption keys are kept not on your servers but on user devices and are unique to each user.
One of the ways to encrypt data is to mask it. Data masking is a process where characters and numbers are concealed by proxy characters. It’s not a perfect solution but it works against some accidental or non-malicious breaches.
Whereas encryption, masking, and erasure are meant to protect from leaks and hacks, data resilience is the protection against data loss. If there’s data you or your users need constantly, you must have a backup of such data. This way, if something were to happen to your main servers, the data can be restored from the backup.
We at Mind Studios were saved by upholding this practice when the OVH servers that we used were among those caught on fire in March 2021 and some of the data was damaged. But we had backups so everything turned out fine.
Incident Response Plan
In the case a breach or leak does happen, your company needs to have a plan of actions set up beforehand. Different regulators have their own requirements as to what such a plan must include.
Usually, the first thing to do after discovering the leak is to notify affected users that their data might be compromised, especially if data leaked can be used for malicious purposes like identity theft or fraud.
Mobile app data security challenges
Privacy and data security are becoming harder and harder to maintain with the growth of Big Data. People are sharing more and more of their lives online — in messengers, social networks, banking apps, on e-commerce and healthcare platforms, etc.
Moreover, app owners keep other data about their users, like in-app behavior and activity logs used to improve services and provide targeted advertising. The sheer amount of such data is a challenge to keep safe and organized. Due to this, it’s not much of a surprise that a small error in processes might result in a leak.
Another weak point is that some of the data that apps collect might be stored on third-party resources. Such resources aren’t part of the app owner’s organization and therefore, the resource’s security isn’t in the app owner’s control.
So what can you do to make sure your app and its users are safe?
How to increase mobile app data security
As you can see from the examples above, not all data leaks are the work of hackers or happen due to malicious intent. In fact, the overwhelming majority of data breaches — whooping 95% — happen due to human error.
This means that you don’t necessarily need to invest billions of dollars into some over-the-top measures. What you need is a mobile app data security strategy built on solid practices and by responsible reliable data safety specialists.
What measures can be taken to ensure the safety of your mobile app’s users’ data?
Use SSL/TLS certificates for app security
Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates are essential to safely communicate data between your app’s servers and users’ devices. SSL certificates work by scrambling the data so that its deciphering becomes nearly impossible.
While SSL/TLS certificates are among the most reliable ways to protect user data in your apps, they can sometimes be vulnerable to the MITM (man-in-the-middle) attacks. If your mobile app deals with information highly sought-after by criminals (for example, it’s a banking app), we encourage you to employ SSL pinning.
SSL pinning is a technique that can block documents from unknown servers on your app and prevent installing MITM-issued fake certificates. This is done by pinning an SSL certificate host in your app during development. The certificates from the pinned host will be considered the only reliable ones.
Regularly test your app for vulnerabilities
There are ways to test and eliminate vulnerabilities. The important thing here is to do it regularly since:
- hacking methods evolve quite fast
- if there’s a vulnerability caused by human error, developers might miss it when checking once, but repeated testing by several specialists will ensure it’s found
Penetration testing is when your developers or QA specialists perform a simulated cyberattack on your app’s vulnerabilities, aiming to find all possible weak links in code. This kind of testing can be done for servers/backend, front-end, APIs, etc. Finding vulnerabilities is pertinent to eliminating them.
Be careful while using third-party libraries
The big Android data breach we mentioned above happened due to misconfiguration of third-party cloud services. Sometimes, developers might be tempted to trust the library provider, especially if it’s a renowned one, and overlook a misconfiguration or an error in code.
When using third-party libraries, it’s essential to check everything vigorously since it’s not the same as writing code from scratch and it’s easier to miss an error.
How the Mind Studios can help
Ukrainian software engineers placed #1 in Security challenges and #11 overall during the 2016 HackerRank Programming Olympics. Since then, Ukrainian software development companies have continued to evolve and educate themselves and their specialists.
In 2021, the Coursera Global Skills Report placed Ukraine at #8 in Technology. The 2022 Skill Value report by Pentalog has Ukrainian developers at #4 globally.
We at Mind Studios take pride in our country’s focus on technological development and we place security of data high on our priority list for projects we undertake as well. We’ve worked on multiple products that dealt with personal information, and we’ve implemented top-level security to protect user data there.
As the world moves into digital spaces, the need for data protection measures will only increase and data security legislations will only become stricter. People’s trust in Facebook is in tatters after numerous data breach scandals. Similar scandals involving companies big and small are heard loud and clear, not covered up anymore.
Whether you’re a start-up owner or a seasoned business person with an existing mobile app, it’s essential to keep up with the latest data protection technologies. Reviewing your product’s safety against them and updating data protection measures accordingly is becoming a top priority.
At Mind Studios, we are adept at mobile app security and we can deal with any challenge that comes to us in this venue. If you have any questions on the topic, our representatives can offer you a 45-minute free consultation if you fill in the form.