Knowing exactly how secure your mobile apps are is important. No matter which enterprise you ask, they are going to agree that the security for their mobile apps is of top priority with them. But knowing a bit more about app security and also about what to ask your mobile app developer is a good thing. It will help ensure that you know what it is about and can ask for help and advice when needed.
Your app encrypts its data. But that is certainly not enough. In an age where people are using their smartphones for everything, security is something that just can’t be compromised with. If you want users to trust you, you just can’t compromise about the security of your mobile apps. Encryption is only one thing. There’s a lot more you should be asking your developer.
1. Is HTTPS encryption used and enforced?
Network communications are easy to get complacent about, but that is not something that should be happening. If it’s happening, then there may be a lot at risk. HTTPS encryption is a great idea but just switching it on is not going to be enough; you have to be sure that your developer is actually enforcing it on your mobile app. The SSL certificate should be validated and if you want a better level of security, then using two-way SSL authentication or pinning the certificate to the apps is a great idea.
2. Is there sensitive information on the app binary?
This is the next security question you should be asking your mobile app developer. Making sure that the app binary has been scrubbed of important and sensitive information is necessary because they are not what can be termed ‘’black boxes’’. App binaries can actually be decompiled, analyzed and reverse engineered if a hacker so wishes. The best thing your developer should be doing is assuming that things like encryption keys and passwords can be retrieved and therefore scrubbing the binary of all such information is essential.
3. Is the app data being encrypted wherever and whenever it is stored?
Yes, OS security can be trusted but did you know that it can be trusted only when the device is not jailbroken or never been rooted? Well, that basically means that it actually cannot be trusted, especially when it’s a mobile app. That is why you should be asking your developer whether the data is being encrypted by them, especially the sensitive ones such as log files, cookies, tokens, passwords, protected health information and such. The thing to understand about security is that encryption should not be leaving any gaps for hackers to try and seep through.
4. What steps have you taken to thwart analysis and reverse engineering?
Your mobile app developer can and should be taking additional steps to ensure that analysis and reverse engineering attempts are thwarted. Control flows and code can well be obfuscated. Symbols can well be renamed or stripped so that their identification is not easy and there is always the possibility of encrypting the strings. Ensuring that an app has not been tampered with is one of the most important tasks of a developer.
5. Has attention been paid to secure the backend of the mobile app?
You should also be asking your developer whether the mobile app backend is secure because that can be attacked as well. Attempts should be made to constantly harden and test the backend.
At KenHike, security of the mobile apps that are created is of prime importance. That is why it is the leading name in mobile app development in UAE and Saudi Arabia.