In the last years, cyber attacks have been on the rise. In 2018 there were 11% more security breaches compared to 2017, and 67% more compared to 2013.
A cyber attack can result in a data breach, a ransom request, or it can compromise the same tools that are supposed to protect you.
We rely on our mobile devices every day, but they can also be subject to vulnerabilities. In fact, ~91% of iOS apps and ~95% of Android apps analyzed in this report contain flaws.
Such apps could be those that we use for accessing our bank account, controlling our home internet connected accessories, handling our personal pictures and texts.
It is up to us, programmers, to do our best to avoid these problems for our users. Thus, when we create and maintain mobile applications, it is important to include security from the very beginning, not only in the development process, during requirements definitions, architecture design, development, and testing, but also in everyday business-related processes. We need to make sure that our everyday work has security integrated into it.
We can identify two main classes of potential pitfalls:
- User authentication relates to the usage of the app by an attacker who is posing as another user. It is mitigated by the login system of the device in use: if the access to the smartphone is secured by a pin, or by biometric authentication, such as Face ID, then the app might not need another authentication level. But if the app handles particularly private data, like banking information, then it should implement an additional authentication step. On the other hand, most apps connect to a backend system, against which the user needs to login again. In this case, the device login system is not enough.
- Data access relates to the communication between the app and services exposed on the internet. We cannot assume that such communications are performed on private networks, so the data being transmitted can be intercepted, read, and potentially modified by an attacker.
It is fundamental that users are correctly identified and that the actions they perform are allowed concerning their identity. That means that a user, when logged in, is correctly identified by the system, but she is not able to read personal information about other users.
The availability of service over the internet makes it more complicated. When a user needs to authenticate to a remote service, passwords cannot be transmitted as clear text.
All data must be encrypted so that it is incomprehensible for an attacker without the proper decryption key.
Encryption is important, but it does not solve all security problems: if an attacker manages to get identified as an admin, cryptography won't matter anymore.
There are also other cyberattacks we need to consider when designing security in our apps:
- viruses that a user executes without realizing it;
- denials of service, where an online service is taken down by an excessive number of requests;
- abuses of service, where an attacker finds a way to abuse a service you provide online;
- pishing scams, and other forms of social engineering attacks; and others.
When designing and implementing an app, we might need to consider those as well.
We also need to keep in mind that designing complex security mechanisms will make it easier to oversee bugs, opening possible vulnerabilities for attackers.
There are many types of vulnerabilities we need to take into account when designing a new app. We need to keep our strategy simple, first by understanding the basic components of cybersecurity and how cryptography works, then by exploring the most common vulnerabilities in apps and understanding how to avoid or fix them, and then by defining security-related processes that we can apply during the entire software development lifecycle.