- Security TWENTY
- Women in Security
Mobile devices offer the freedom to be online anywhere, at any time, writes Wayne Munday, Non-Executive Director at Rokk Media.
From checking your bank balance on the go to ordering a gift during your work lunch hour and working remotely- users are no longer restricted to their desktops. This is enabled by a multitude of apps that are connected to APIs around the world that help to safely deliver data, services and convenience to mobile and desktop users.
Apps are not just about innovation and providing an enhanced customer experience, they have to be secure by design to ensure users and their data are safe online. Although there is no “one-size-fits-all” approach to the development process and needs for each app, there does need to be a cornerstone of well-engineered security.
Many apps heavily rely on sensitive user information, making them a target and vulnerable to hackers, malware and more. Without the provision of enhanced security in the development phase companies risk endangering not only the customers’ data but their apps and own systems as well as their reputations.
Lately, we’ve seen some high-profile hacking cases in the media – most notably, Facebook. Hackers exploited a bug in the ‘view as’ functions allowing them to take over and use the accounts exactly as if they were the account holders. With 50 million people affected by the breach and 40 million logged-out as a precaution, users were concerned that the platform’s single-sign-in tool, which lets account holders use their Facebook login to access sites like Tinder and Instagram through mobile and desktop apps, rather than creating multiple unique passwords had been accessed. Even more worryingly, users could have been vulnerable regardless of whether they used Facebook to log into a third-party site.
A further update from Facebook’s VP of Product Management, Guy Rosen, said: “We have now analysed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook login.”
However, if third party websites had enabled the option for people to log in each time in the development phase this would have added an extra layer of protection – inarguably this is very much a case of usability over security rather than striking a balance between the two. The embattled company is now potentially facing a $1.63 billion fine if it is proved they didn’t do enough to protect users in the European Union under GDPR requirements.
Similarly, another scandal highlighting the lack of process in the app development phase and arguably a lack of testing, came in the form of the security breach during the 2018 Conservative Party conference. Trolls logged into the party’s mobile app which wasn’t password protected, using MP’s and party members’ email addresses. This then gave access to sensitive information such as phone numbers as well as enabling hackers to make changes to users’ profiles and compose messages from their accounts. Much like Facebook the Conservative Party is now facing massive fines and an investigation by the Information Commissioner.
App security is fundamental and organisations need to reassure consumers that security is at the top of their list. Vulnerabilities in an apps source code and failure to test the code make them targets for hackers and even though network and data security is important, security must be a key consideration at the conception of the app, becoming intrinsic to the design.
Similarly, the Development team should assess the app’s APIs to ensure they meet user requirements and have sufficient security in place to prevent unauthorised access or eavesdropping from the users’ devices back to the app’s server and database. Measures should include containerisation, penetration testing and network vulnerability testing. Database encryption and encrypted connections with a VPN should all be considerations from the get-go.
Authentication and authorisation technology also helps to secure the login process by proving to the app who users are. App security also relies heavily on securing APIs and the flow of data between users, the cloud and multiple devices all of which need to be verified and authorised in order to access data. Quality Assurance testing is fundamentally important to any software or website project to ensure that from concept through to a live product, all security factors are considered, designed well and built robustly.
Ultimately, mobile apps are increasingly becoming a place where hackers lurk and by implementing a robust security strategy in the development process allows businesses to respond quickly to threats, therefore creating a safe environment for users, securing loyalty and protecting assets.
About the author
Wayne Munday is Non-Executive Director at Rokk Media, who specialise in web development, mobile applications and software for businesses. Wayne has experience in international sales, marketing and strategy through positions at NavTeq, MapQuest.com and AOL Inc. Having also served as the UK Managing Director for erento, CRO and Co-Founder of OTPmedia and COO at Ticket Zone, Wayne brings his digital media and business development insight to Rokk.
Rokk Media assists all from SMEs to large-scale corporations with their digital transformation, on strategy, design, production and support of digital projects.