How to Build the Next Generation of Secured Mobile Apps
The good thing about the mobile-app ecosystem is that it has filled many facets of our lives with convenience and ease. The bad thing is that the more these apps become popular, the more they are vulnerable to hacks.
As apps become more ingrained in our daily personal and professional lives -- executing financial transactions or uploading sensitive health data, using our mobile phones -- our personal data is more and more at risk of being stolen and misused.
The onus, then, is on you -- the entrepreneur who builds products -- to ensure that your customers' data is safe and secure, far from the access of the hackers. And the way to keep your customers’ private data safe is by implementing security measures across every touch point. Here are some of the most important things to consider while building a secure mobile app.
1. Two-factor authentication
Passwords can be hacked or simply forgotten. Sometimes, they’re just so darn simple that anyone could guess with a few tries. And on apps that store or access your private or confidential data, losing a password to hackers can mean a tremendous loss.
Two-factor password authentication helps solve this problem. Its most common implementation occurs when you're logging into an app and are sent a randomly generated code via text and/or email based on the code registered with the service/product. Only when you enter this code, in addition to your password, will you be allowed entry to the app.
Apps that store or access sensitive data should also log users out and require them to log-in each time with the two-factor authentication for security. That leads us onto the next point . . .
2. OAuth2 for mobile API security
You’ve probably heard of OAuth before. This is an excellent protocol for securing API services from untrusted devices, and it provides a nice way to authenticate mobile users via token authentication.
The way OAuth2 token authentication works is that it creates an access token that expires after a certain amount of time. The access token is created for users and stored on their mobile devices when they enter their username and password while logging in.
Once the access token has expired, the app re-prompts the user to enter his or her login credentials.
OAuth2 doesn’t require users to store API keys in an unsafe environment. Instead, it generates access tokens that can be stored in an untrusted environment, temporarily.
This works well, because even if a hacker somehow gets hold of a user's temporary access token, it will expire.
OActive Labs researcher Ariel Sanchez tested 40 mobile banking apps from the top 60 most influential banks in the world. The result: 40 percent of the apps audited did not validate the authenticity of SSL certificates presented. Many of the apps (90 percent) contained several non-SSL links throughout the application.
Mobile apps often do not implement SSL validation correctly, making them vulnerable to active man-in-the-middle (MITM) attacks. Apps that use SSL/TLS to communicate with a remote server should check for server certificates.
AES, the Advanced Encryption Standard, is currently one of the most popular algorithms used in symmetric key cryptography. It is also the "gold standard" encryption technique; many security-conscious companies actually require that their employees use AES-256 (256-bit AES) for all communications.
Companies should always use modern algorithms that are adjudged strong by the security community: Think AES with a 256-bit key for encryption, and SHA-512 for hashing.
Ensuring security of your users’ data makes your application more attractive to customers and helps build the trust factor. Needless to say, trust also increases your chances of acquiring and retaining more customers.