What Citizen Developers Should Know About Mobile Security


By Aaron Bryson, Kony

Dedicated, full-time developers know that, as with all forms of software development, security should be a top priority when building mobile apps. Yet increasingly, mobile development within enterprises is being done by what Gartner calls "citizen developers": business-line employees who create apps using approved tools but outside the traditional IT process. Unfortunately, far too many of them have an insufficient understanding of what needs to be done to protect their users' data.

The seriousness of this issue cannot be overstated. For an individual, the financial consequences of identity theft due to a mobile data breach could be devastating. And when a business's data is leaked by a flawed app, the potential cost is incalculable.

Still, ignorance about mobile app security remains widespread. Even when a mobile app is revealed to contain a major security flaw, its users often simply don't understand the risk well enough to uninstall it. Even worse, they remain completely unaware of security flaws present in their apps.

And lack of attention to security is only part of the problem. A still larger issue is that even app users who say they're concerned about security and privacy often don't know how to evaluate whether a given app meets their data security needs. Worse, neither do some developers.

For example, developers are often given a free pass because they claim their apps use data encryption. But what does that really mean? Where, when and how the encryption is used is just as important as the fact that it's used at all.

4 Important Mobile Data Security Considerations

More to the point, mobile data security doesn't begin and end with encryption. Customers, and especially app developers in all levels and roles, should be asking a variety of questions about the apps they use, including:

Is User Data Always Encrypted?

Merely encrypting data when it's stored on the device isn't enough. For it to be truly secure, data needs to be encrypted at all times -- whether it's being used by the app, transmitted over a network or stored on a server.

How Is Sensitive Data Protected from Being Accessed by Other Apps?

An app shouldn't assume that only it has access to the data it collects. Unless safeguards are in place, malware or other rogue apps running on a device can potentially pilfer data from other apps that should have been private.

Is Data Still Protected When Running on an Insecure Device?

Users can configure their devices so they're inherently less secure, for example by jailbreaking an iOS device or "rooting" an Android phone, or by not being up to date on OS security patches. That they do so isn't an app developer's fault. Still, while app developers can take steps to better protect data even in these risky scenarios, most simply do not.

What Precautions Were Taken to Mitigate Threats such as Hacking Attempts?

Encrypting data is no use when attackers can bypass security measures to impersonate legitimate users. App developers should take steps to ensure that their applications can repel such threats, by hardening mobile APIs and mobile applications alike.

Raising awareness of these and other mobile security issues is essential, but it's also only the beginning. Even when an informed app customer knows the right security questions to ask, it's often not clear where to find the answers.

What Can App Stores Do?

Public marketplaces like Apple's App Store and Google Play do a fair job of alerting users when an app is able to access your address book, for example, or locate you via GPS. But they tell you next to nothing about what measures an app's developers have taken to safeguard your data security.

They could do better. They could add a new section to an app's description page that lists, in a concise format, which top security best practices its developers have employed. For example, does the app encrypt its database? Does it enforce HTTPS encryption? Does it check whether the device is jailbroken or rooted? Does it prevent reverse engineering or modification?

Unfortunately, making such a change won't be as simple as adding a new form field to a store's app submission page. Simply trusting app developers to supply accurate security information would open the floodgates to all sorts of abuses. For such information to have any value, app stores would need to create more robust verification systems that test submitted apps against a baseline set of security features.

Whether consumers will ever get access to such detailed security information remains to be seen. But enterprises have an opportunity to take more proactive control of their own mobile security, by requiring app developers to disclose security information on a centralized, internal repository or private app store. They can also encourage citizen developers to partner with IT to develop a comprehensive security and testing audit plan so they can be sure they've covered all the bases.

In this modern environment, app customers need to be better educated about the security issues they face. But they also deserve greater transparency and security diligence from app developers, in whose hands their security ultimately rests.

Aaron Bryson is chief security architect for Kony, a cloud-based enterprise mobility solutions company and a mobile application development platform provider. Kony's cross-platform solution helps organizations design, build, configure and manage mobile apps to empower and better engage with customers, partners and employees.