Secure Mobile Apps from the Start

Stop Retrofitting: How to Design Security Into Your Next Mobile App

Posted by Deep Shah

3 Sep 21 6 Min read

Mobile app security is now a big deal. Although it always should have been, users are now more aware of security risks, and have become more demanding. This means that retrofitting security features is a big no-no. Designing security features upfront is essential. Find out how.

Security should be one of the key points in any mobile app design strategy. But so often it’s not. It gets left until a vulnerability gets exposed and an update is required to make the app secure. This is not the smart way to do any kind of development in today’s world.

Retrofitting security that protects against vulnerabilities is not an ideal practice, and it's easily preventable if you incorporate security features into your initial design. This means that you need to be up to date on potential security threats and consider them from the very beginning. It’s all about seeing how the app could be vulnerable and planning to ensure that it isn’t.

In this article, we’re going to examine how you can design security features into your app while building it, rather than integrating them after the fact.

Step 1: Secure Coding Best Practices

Right from the very beginning of the design and development process—before you write a single line of code—it’s important to understand or work out how you are going to proceed. This means that you need to know what the current security threats are and what developers are doing to combat these threats. You also need to know what technology is available and the impact that has on your mobile app.

As the developer, it’s your job to be up to speed on the best practices of your industry, especially when it comes to online security for mobile app users. One of the top trending practices currently in use is data encryption. If done correctly, even if the app gets breached and data stolen, the hacker will not be able to see or use any of the information they have accessed. This includes:

  • Not hard coding your keys
  • Not storing your keys locally on the device
  • Storying your keys in secure containers

Another security best practice is to use tamper-detection technology. This helps to prevent an external programmer from modifying your code within the app. If someone tries to change something or add malicious code to your app, an alert will be set off and the app should stop working.

Finally, look at using the principle of least privilege. This means that the app only requests access to the parts of the user’s phone that it absolutely needs to function. The more connections the app has to the user’s phone and other apps on the phone, the more vulnerabilities you have within the app.

Step 2: Identify Potential Areas Of Concern

Again, before you write a single line of code, you need to know what you are going to be protecting your app and its users against. Take some time to research the current major threats and trends in terms of what hackers are doing and what is being done to combat this. This will give you an idea of the kinds of weaknesses that are being exploited and how you can avoid building those weaknesses into your app.

Next, look at the entire ecosystem of the app that you are going to create. Look at what information it asks users for and where that information is kept. Then, assess how the app connects to other apps or information on the phone once it’s downloaded and in use. Mapping out all of this will allow you to identify where your potential weak areas are.

It’s also important to run through security checks on the app before you deploy it, or any updates to it in the future. Push the app to the limit in terms of testing, running through as many random scenarios you can think of to see if there are loopholes or possible gaps in the security.

youtube poster image

Step 3: Use Authorized APIs

APIs are generally a critical part of any mobile app because they allow your app to talk to other apps seamlessly. It’s essential that you use APIs that are trusted, because the potential for hackers to gain access via them is too high. Authorized APIs will dramatically minimize the risk of using them, especially if they are centrally authorized.

Always research the APIs that you plan to use and check their history of security. If the code is loose, it is too simple for a hacker to get in and make use of the privileges that the API grants.

Step 4: Decide On Authentication Levels Required

Not all apps need high levels of authentication. But if your app is working with any personal or sensitive information, authentication is critical. As soon as you require your users to input any personal data or create an account, you need to consider what form of authentication you will use. Pushing your users to create strong passwords with a multitude of character types will automatically improve your security.

For highly sensitive profiles, like banking apps or third-party payment apps, you need to consider more security. This can include multi-factor authentication, like a one time pin (OTP), or going the biometric route as is built into most smartphones these days.

Step 5: Using Proper Safe Session Protocols

Dealing with sessions in a mobile app is a lot harder than compared to a website or web application. This is because people use their mobile apps differently, often needing to switch between apps in one session. That means you can’t just cut the session the moment a user switches to another app. However, it’s not safe to leave the session open-ended because someone else could access the device and gain access to the sensitive data if the session is still running.

It’s important to allow users to easily end a session if they know that someone else is going to use the phone. This includes having a logout function or an end session button that the user can actively push. Users will generally be happy to have this for apps that have sensitive data like finances or credit cards stored.

Plus, you need to consider how you will end a session if the user does not log out. One method that works well for any apps that use in-app payments is to require re-authentication before a payment is actually made. The user remains logged into their account and anyone on the phone can browse through and add things to the cart. However, you can only make a payment for those items if you have the login details or the correct biometrics.


Start With Security In Mind

Having security features built into the original design of your mobile app is always going to make it a lot safer to use than trying to add them in later.

Always take the time to research and plan your app first so that you know what threats are out there, and what technology or best practices there are to avoid those threats. Creating a mockup of your app can help you to ensure that you cover all your bases—from security to UX—and that any other stakeholders involved are on the same page.

Finally, don’t forget to test everything. Each new addition you make to your app can cause loopholes or soften your defenses. Proper testing will show those up before the app goes out to the public for use.