Smartphone and tablet users will download 70 billion apps this year, according to an estimate by ABI Research. And the total global mobile app market is expected to be worth $25 billion by 2015 reports TechCrunch.
If you have an idea for a marketable app or are currently developing one, then the world may just be your oyster. But before you take your app to market and get it accepted by an app store, the Federal Trade Commission (FTC) wants to ensure that your security policies are up to scratch and that you have taken the right measures to protect the data that your users share with you.
Why? Apps and mobile devices often rely on consumer data – including contact information, location, photos, and so on – all of which can be vulnerable to data breaches, digital snoops and regular theft. In fact, MarketsandMarkets cites the risk of data theft through delivery of phishing and spyware in mobile apps as the biggest downside to the growth in available apps.
The FTC offers the following 12 tips to help developers approach mobile app security:
1. Appoint a security lead
Your development team should include at least one person responsible for considering security at each stage of your app’s development. If you are a solo entrepreneur, then that person is you.
2. Review the data you intend to collect and maintain
Don’t collect or keep data that you don’t need. If you don’t need user’s contact info, don’t collect it. Likewise, don’t keep user data any longer than you need to – including location data.
3. Understand the differences between mobile platforms
Each mobile operating system uses a different application programming interface (API), which includes different security features and permission handling. So don’t just assume one size fits all; adapt your code accordingly.
4. Don’t rely on a platform alone to protect your users
Platforms may offer features to make security easier, but it’s up to you to understand them. Use them properly, and explain them to your users in everyday language.
5. Create secure user credentials
If your app requires that users create usernames and passwords, make sure that these credentials are secure and appropriate to the nature of your app. For example, a social networking app would require a higher level of authentication (password strength requirements) than a gaming app.
6. Encrypt any data that is transmitted
Use transit encryption (SSL/TLS in the form of HTTPS) to secure usernames, passwords, API keys and any other important data that is transmitted from a device to your server. This is particularly critical because many users use un-secured public WiFi networks to access apps. If you use HTTPS, use a low-cost digital certificate from a reputable vendor and ensure your app checks it properly.
7. Exercise caution and use due diligence on libraries and other third-party code
Third-party libraries can save time, but keep your ear to the ground. Does the library or SDK have known security vulnerabilities?
8. Consider protecting data you store on a user’s device
If a user’s device becomes infected by a virus or malware, or they lose their device, think of ways you can help them protect any personal information that your app handles. Encryption is one option. Some platforms have their own storage schemes for protecting sensitive user data such as passwords and keys – use them.
9. Protect your servers, too
If you maintain a server that communicates with your app, take appropriate security measures to protect it. If you rely on a commercial cloud provider, understand the divisions of responsibility for securing and updating software on the server.
10. Don’t store passwords in plain text
Protect user passwords by avoiding plain text storage on your server. Use an iterated cryptographic hash function to hash users’ passwords and then verify against these hash values. (Your users can simply reset their passwords if they forget.)
11. You’re not done once you release your app. Stay aware and communicate with your users
Once your app is out there and available for download, stay involved with its security. Update security libraries, push updates out to users, and use user feedback to help you spot and fix vulnerabilities.
12. If you’re dealing with financial data, health data, or kids’ data, make sure you understand applicable standards and regulations
If your app deals with kids’ data, health data, or financial data, ensure you’re complying with relevant rules and regulations, which are more complex. The FTC offers details on the regulations that your business needs to be aware of in the following guides:
- Children’s Privacy
- Gramm-Leach-Bliley Act
- Health Insurance Portability and Accountability Act (HIPAA) Security Rule
- Health Breach Notification Rule
The Bottom Line: One Size Doesn’t Fit All
There are no hard and fast rules for app security. The FTC clearly states that it expects app developers to shoot for reasonable data security practices and doesn’t prescribe a one-size-fits-all approach. For example, if you are developing a basic app such as an alarm clock or flashlight that collects little or no data, then this is going to raise fewer security considerations than a location-based social network or, let’s say, a health-monitoring app. These apps may use remote servers to store user data, and as a developer you’ll need to secure your app from end-to-end. This includes the software, as well as data transmission and servers.
- Five Legal Issues to Consider when Developing and Marketing a Mobile App
- Does your Website or Online App Target Kids? Stricter COPPA Rules go into Effect Soon