Top Tips in Mobile App Security
The security holes in the Nissan Leaf EV app that made it possible to remotely control some vehicle functions through application program interfaces (APIs) has initiated lots of conversations among ArcTouch product teams. My app development team is particularly interested, because a technical approach to mobile app security is the first line of defense.
Mobile app security issues are more common than you might imagine.
But they are always preventable.
I hand it to Nissan for admitting its error and apologizing (though it reportedly took more than a month to respond to the first report of a problem). But I also can’t help but point out that the security hole in the Nissan app’s APIs goes against the most basic security best practices. Nissan’s app developers ignored an essential security measure of validating user identity to ensure that a car’s vehicle ID number (VIN) matches with the owner/app user. The result is that anyone with a little programming expertise and knowledge of a VIN number (visible through the windshield of the Leaf) could remotely control some of the car’s systems.
The data security breach also reveals a lack of focus on protecting user privacy.
Unfortunately, mobile app security issues like this are more common than you might imagine. But they are always preventable. Apple and Google invest heavily in security, providing most of the tools and capabilities that developers need to build secure apps. Apple takes the security of its platform so seriously, it declined to help the FBI by creating a “backdoor” to unlock the iPhone belonging to one of the accused San Bernardino shooters.
Ultimately, however, it’s up to us developers to follow certain best practices to ensure data is accessed, transferred, and stored securely in our apps. Here are three key security-related issues ArcTouch focuses on to ensure the apps we build for customers are secure—and how you can avoid a mobile app security situation like the one Nissan experienced.
1. Secure all services within an app
When it comes to security, it’s not just the app that has to be buttoned down. You have to make sure all the services that are integrated to make the app work properly are secure. Apps are connected to data sources and data is flowing in multiple directions. Those connections must be secure, which means you need to have a clear view into the services and systems you are integrating to make an app work flawlessly for end users. When we engineer apps for our customers, it’s our responsibility to map out these systems and figure out these connections to prevent any potential for data or privacy breaches.
iOS and Android have built-in security tools we take advantage of—but we don’t assume security is covered without doing the work ourselves (see “10 Technical Tips for Mobile App Security,” below).
2. Don’t sacrifice mobile app security for speed
In the race to get apps out the door, security can sometimes get short shrift. But neglecting to look closely at the services and data that are converging within your app — as well as how data might be used in the future — can get you in trouble. Specifically, the folks at Nissan seemed to have neglected to think through all privacy ramifications for Leaf owners.
We don’t know if a need for speedy release caused this particular oversight. But we work hard to educate our clients about how important it is to make sure what you put out is totally secure and works like it’s supposed to. How many Nissan Leaf owners do you think will use the app again once it’s secured and re-released?
3. Use extra vigilance to account for changing data landscape
I want to reiterate something I mentioned earlier: Corporations have less and less control over the data they use. In fact, they don’t always own it. Take the vehicle ID numbers (VINs) of the Nissan Leafs used in the Leaf app hack, for example. According to Computerworld: “Along with controlling some vehicle functions, the other main concern is that the telematics system in the car makes available historic driving data, one security expert said in a blog post.”
Nissan needs a way to reassure the first owners of a car that their data can stay linked just to them—or, as the case may be, removed from public viewing within the app. It’s wise to consider how all the data that flows through your app will be used and how it could potentially be misused if you fail to secure the services your app integrates. This is an issue of reputation management as much as security because as soon as customers sense that you don’t take their data security and privacy seriously, that can drive a wedge between you that could take much more than an improved app release to dissolve.
The issues outlined above provide some food for thought for all app developers and guide my team at ArcTouch as we engineer clients’ mobile apps. If you want to dive a bit deeper into the code weeds, here are 10 technical tips that can help:
10 technical tips for mobile app security
- Server communication should always happen through a secure channel (preferably TLS 1.2).
- Make sure TLS/SSL certificate validation is enabled.
- It’s preferable to use short-lived, revocable, token-based authentication (OAuth).
- Rely on data encryption and file protection provided by native frameworks.
- Leverage native credential storage capabilities (Keychain, KeyStore, etc.).
- Do not hardcode service credentials.
- Use device passcode/fingerprint protection and an on-demand VPN connection when content and services are sensitive.
- Do not store/cache personal or sensitive data unnecessarily.
- Make sure app access can be remotely revoked by deactivating user accounts.
- Review data retention policies for all third-party integration in your app (such as analytics, performance logging, push notification, and so on) to ensure compliance.
Afraid your app may be vulnerable?
We’d be happy to take a look. Contact us today and we’ll provide a complimentary mobile app security inspection.