Why is app security making headlines?
COVID-19 introduces new major security risks. Here's how to secure your apps from a developer's perspective.
Security concerns are now top of mind in the news, as cybersecurity incidents have skyrocketed during the pandemic. In recent months, many apps have been a source of scrutiny from governments and user privacy watchdogs. Controversial contact-tracing apps are deploying worldwide, with some reporting major security flaws that can expose personal data. Meanwhile, COVID-19 has challenged businesses with new security risks of employees working from home.
From an app developer’s perspective, the bright side is that people are taking app security more seriously than ever before. In the aftermath of a security breach, developers have a responsibility to raise awareness about how to secure apps, at every stage of its lifecycle. To avoid being the victim of an app attack, the number one preventative measure is education.
I had a chance to recently speak at the European Cybersecurity Online Conference 2020 on web and mobile app security. Here is a breakdown of what I had to say, and the key takeaways that everyone should know about securing apps:
Know Your Enemy
Who attacks apps, and why? There are four major actors when it comes to malicious app attacks: state-sponsored hackers, ideological attackers, those criminally motivated for financial gain and then finally, the bots that power all of them. When developing an app, it’s critical to know which weaknesses an enemy is most likely to exploit.
For example If you’re running an ecommerce store, hacked user data (e.g. credit card info) is often financially motivated. If your app helps government workers or city utilities, attackers may aim to shut down key services by bombarding resources or installing malware.
What Do They Want?
Depending on your industry and app type, attackers may want different things. So called ‘Cryptojackers’ for instance, can steal user computing power to mine for cryptocurrencies like Bitcoin. If you regularly host ads on your apps, you may be vulnerable to ad fraud hacks that steal revenue from ad technologies. Then of course, there’s data compromise (personal data, CC data, corporate, passwords, etc.). Knowing the specific risks your industry faces can greatly mitigate the effects of an attack.
The Open Web Application Security Project is also a great resource for finding the latest web application security risks in the last couple years, along with the tools and strategies to deal with them.
Secure Software Development Lifecycle
As app developers, we have to think about security at every step of the way. This means as early as the requirements stage, we’ve already planned out security and privacy concerns. We make the same assessments shown above (about the type of app, industry, and likely vulnerabilities) before any design is laid out. In terms of app security, our project lifecycle looks something like this:
Of course, security is everyone’s responsibility. When we talk about security, we’re not just talking about attackers. We treat any data coming from the user as insecure, and any new code from developers as something that needs to be tested. We look at everything from:
- Where are data inputs within the application?
- How are users entering their private information safely?
- How does the app secure requests?
- How can continuous code inspection prevent accidentally introducing security vulnerabilities?
In order for developers to make sure they don’t introduce new vulnerabilities, we use automated processes to help us continuously check and monitor the status and quality of our code.
We automate as much as possible to ensure that the app itself doesn’t introduce. We do this primarily through:
- Continuous Integration – developers integrate code into a shared repository daily, where it can be tested via automation.
- Continuous Deployment – validates that any new changes to a codebase are clean, viable and stable for autonomous deployment to a production environment.
- Secrets management – the process of managing digital authentication credentials, like passwords, keys, APIs, and tokens and also separating them from automated processes.
- Static code analysis – looks for rules and patterns in code at every stage of the development lifecycle. It catches bugs and vulnerabilities early, so that things run smoothly later on.
Keep 3rd-party Dependencies Up to Date
There are more technologies involved with keeping an app running than the average person thinks, and every piece receives regular updates. We’re in a constantly shifting landscape from the OS, to open-software vs. closed choices, programming language, frameworks used, and 3rd party libraries. Keeping these dependencies on their latest versions gives you the best chance to mitigate attacks.
This also means finding digital partners who are able to keep up and inform you about maintenance, upgrades, migrations, etc. and how to do them properly.
Digital Partnership Is Key
Ultimately, your IT partners, remote developers and app designers need to be knowledgeable about security measures at every level of the process.
App security is making headlines because we’re in unprecedented times where opportunistic attackers are targeting weak points caused by the pandemic. Geopolitical tensions are at an all time high, which has espionage threats up as well. Reduced spending and income may also be motivating new attackers to open up different methods of attack, switching from credit card theft to ransomware, for instance. To top it all off, the rapid change to working from home has increased user-driven vulnerabilities to the point where we all need to be reviewing our security measures with even greater scrutiny.