Our CTO, Jared Blake sat down with PCMag’s Security Watch team to discuss easy ways to protect mobile apps from leaking sensitive customer data. At Moki, we’re dedicated to app security and were grateful for the opportunity to share some best practices.
Full article from PCMag.com:
When we write up Mobile Threat Monday, we’re often telling you about yet another Android app that is leaking your personal information all over the place. Sometimes, it’s because of third-party advertising platforms integrated into apps, but other times it’s just plain ol’ bad decisions made by the app’s developer. Just take a look at Starbucks, and their embarrassing episode.
Jared Blake, the CTO at Moki, sat down to tell us five simple things developers can do to make their apps better and avoid making headlines like Starbucks.
1: Use HTTPS For Everything
Speaking from personal experience with our Mobile Threat Monday coverage, many developers seem to ignore SSL when creating their apps. Blake says that’s just unacceptable. He said that communications should “Always be done in HTTPS. There’s just no good reason not to.”
Securing communications with SSL defeats a number of common attacks, like man-in-the-middle attacks. If this all sounds familiar it’s because we talk about it all the time. Blake says developers must embrace HTTPS, “even if you feel like you’re being a little paranoid.”
2: Don’t Try to Invent Your Own Encryption
When it comes to securing data, developers shouldn’t try to reinvent the wheel. “All of the major operating systems have NIST certified crypto frameworks,” said Blake. He said that these built-in encryption libraries are well established and have been vetted by experts, so developers should take advantage of them.
This is important because apps frequently hold critical user data like passwords and login credentials. For this information, plaintext is simply not enough.
3: Clean Up Your Logs
In the case of Starbucks, app developers inadvertently revealed users’ login and password information in the app’s log files. This didn’t surprise Blake, who quipped that, “developers will throw anything into a log.”
But developers need to carefully consider what information goes into these files, which help analyze problems with the app and improve future releases.
4: Know Your Platform
It might seem obvious to consumers, but Android and iOS are very different platforms. Blake says that this in turn leads to different security issues in each platform. Just because you’ve carefully considered security issues on Android doesn’t mean that your app will be secure on iOS.
5: Be Aware of Personal Info and Your Audience
Blake chalks a lot of the issues developers are facing with personally identifiable information to sheer inexperience. The advent of mobile applications has come on very quickly, and Blake says that many developers simply aren’t “thinking through the ramifications of what they’re building.”
Blake says that developers need to ask themselves if the information their app gathers is something users are going to worry about if it’s exposed. If so, the information needs to be carefully secured—or not gathered at all.
Consumers Need To Be Aware
Of course, consumers also need to be educated. They need to understand that even information that seems mundane—like a phone number or email address—can reveal a lot about them. They also need to understand how apps gather that information, which on Android is done mostly through app permissions.
“Don’t just blindly accept those permissions,” he said. “Think through them. Do I really want to give an app access to my lockscreen? My contacts?”
Blake also mentioned that although some malicious applications slip through Google’s vetting system for the Play store, it’s still a very safe place to get your apps. “I’m hard pressed to think of a situation where someone would distribute an app outside the Play Store that I would want to download,” he said.