Imagine signing up to use an app to suddenly have all the other users be able to know precisely where you are and what your name is. Something like that happened when a web developer discovered a glitch with Tinder, a location-based dating app that exposed users' physical location and Facebook ID for several hours over the weekend.
In an interview, Tinder Chief Executive Sean Rad told Quartz that the "minor flaw" wasn't worth mentioning because no one was affected. But according to the developer who found the flaw, it's impossible to know whether or not someone accessed the data inappropriately.
While Tinder, which launched last October, hasn't disclosed how many downloads or users it has, it has been estimated that those numbers are "well into the millions."
When creating a mobile app for your business, customer privacy should be among your top priorities. We asked Paul Ducklin with Boston-based online security service Sophos what steps mobile startups can take to protect user security and avoid the PR headaches that occur after a data breach. Here are his top tips:
1. Make security a priority from the start.
"Mobile startups are in a tricky position," Ducklin says. "It's a crazily competitive market, with quite literally millions -- if Google and Apple are to be believed -- of developers rushing out products."
That ultra-fast, ultra-competitive environment can put intense pressure on companies to get their products to market as quickly as possible. As a result, patch-as-you-go security incidents like this are all too common, Ducklin explains. But that doesn't mean it's not a copout.
Decide in advance which is more important: getting there, or getting there properly with users' privacy in mind, Ducklin advises. "You might make more money in the short term by the first approach, or you might attract more loyal users for longer via the second," he says. "If you're honest up front, at least there won't be any surprises later."
2. Prepare for the worst. Then test, test and test some more.
Internet security can be a constant battle. As companies patch security holes, hackers discover new ones. To stay ahead of the bad guys, Adobe, Google, Apple and every other major software company push security updates to customers on a regular basis, something any company that has access to sensitive data needs to do.
"Make security testing part of your perpetual development cycle," Ducklin says. Mocana, for instance, offers full-service security services that can integrate security into an app as it's developed or work around the functionality of products that already exist. Mocana's free MAP (Mobile App Protection) Developers' Program enables startups to integrate security features like VPN protection, data encryption and jail break detection without having to go back under the hood and rewrite the app.
Ducklin also suggests looking into local security meetups and interest groups. "The more you learn, the better you get," he says.
3. Be honest with your customers.
As new businesses experience growing pains, it's not unusual for mistakes to occur. Consumers usually make a decision about the integrity of a company not after an initial incident, but based on how it responds.
Ducklin says mistakes should be admitted "quickly and with transparency so users can make their own minds up about what action they should take."