Every business with a mobile app, like it or not, is concerned with cybersecurity and must always be committed to improving their application security. Why? The average cost of a data breach in the United States runs $8.19 million. For the sake of comparison, the global average is $3.92 million. The cost per compromised record is estimated at $150 each, with the average breach involving 25,000 records. That could easily be 10-20 times the entire cost of building your app. Application security is a small, but significant fraction, of an app’s cost. Cybersecurity is everyone’s job, so I’d like to share five ways to improve your application security.
Encryption and the Cloud
Whether running your own servers on site or relying upon a cloud provider, don’t take your mobile app security for granted. Most cloud providers, like Amazon Web Services, Google Cloud Platform, and Microsoft Azure, provide data encryption for the data stored with them. Other cloud providers tend to be opaque about the specifics of their security practices. Either way, you will want to add your own encryption to any data generated by or with your app before it is transmitted, too. Encryption makes it so that even if hackers do access files, the contents and data will be unintelligible to them.
Amazon Web Services, so far, has not been compromised by hacks. Several companies hosting their databases on AWS have been compromised due to misconfigurations by the client, including Accenture, Time Warner and Uber, plus Capital One. Data breaches can be hugely expensive, lawsuits over compromised personal data cost Target $162 million, Home Depot $179 million, and Equifax $242.7 million, just to name a few of the biggest data breaches.
Secure Each Component of Your App
The strength of a chain is determined by its weakest link. Analyze each component of your application to determine the best security measure for each. Components like storage and databases will need permission-based security controls and the best encryption you can find.
Program execution resources will need a properly protected, too. This includes using configurable safeguards and methods to obscure your code, make the app difficult to reverse engineer, and allow for real-time threat analytics. The key takeaway here is to protect each critical component of your app with proper security measures to minimize the chances of your app being exploited.
Automate Application Security Installation
Remember the good old days when installation and configuration processes were done manually? Those days are gone. If anything is clear, it’s that we cannot rely upon end-users to always properly configure their security settings. As noted above, sometimes even the “security specialists” get the configuration settings wrong. This is why it is best to automate the entire installation and configuration processes of your app. You also want to be able to remotely update the configuration settings.
Automated configuration will set up the app properly on each users device, without skipping any steps so all security components are implemented without end-user errors. Automating these tasks is a challenge, but one that goes a long way in maintaining the security of your app.
Use Third-Party Resources
Often enough, IT security teams work longer hours because they don’t have all of the resources to do their job efficiently. This often makes the mobile applications they create more prone to security loop-holes. Much of this can be easily overcome by making use of third-party solutions that specialize in non-strategic tasks.
For example, many companies let users login with their Google or Facebook accounts. This avoids password fatigue issues while also relying upon their billion-dollar security teams. That’s not to say that Google and Facebook are hackproof, only that they devote enormous resources trying to be. The same applies to mapping features like Google Map, payment processing like Braintree. Making use of specialized third-party services also helps reduce the cost and time to develop your app.
However, make sure to validate that any third-party resources you use are safe and secure to use. Even large, well-known companies are subject to being hacked, as recently happened with Asus and Arris.
Monitor and Test Security Measures
Security is never a “done” job. As next-generation applications are becoming more and more popular, they must be closely tracked and well-protected. It is essential to configure security settings to generate automatic alerts; while making sure the alerts are issued and configured correctly to avoid false alarms.
When threats do appear, your team should be notified immediately. But also, as I referenced earlier, all of the data breaches on AWS so far are the result of misconfigurations – the fault of the client company.
Security threats are constantly evolving so it’s important to use the latest security tools and keep them up to date. An increasingly popular option for many developers include “bug bounty” programs, where you offer “rewards” to hackers to find bugs and vulnerabilities in your app so you can fix them before release, or before anyone else discovers them.
Cybersecurity as a Constant
Estimates are that $167 billion will be spent on cybersecurity in 2019 and that will increase to $248 billion by 2023. It’s not that cybersecurity is so expensive, but that it must be applied to secure PCs, laptops, smartphones, mobile and Internet of Things (IoT) devices. Cyber attacks are increasing in frequency, if not severity. Cybersecurity is essential for every kind of business, no matter the industry. Indeed, it’s the law.
In 2018, the EU’s General Data Protection Regulation (GDPR) went into effect. It mandates that any business that interacts with a citizen of the European Union is obligated to safeguard their information. While there is no equivalent to the GDPR in the United States, different states like California have implemented similar laws. Concurrently, laws like HIPAA require healthcare providers to secure patient data, while COPPA serves to protect the privacy of minors. The disparate nature and constantly changing laws simply make it easier to establish a single standard that provides the strongest application security available.
Reinvently offers GDPR by Design, an SaaS solution, through our parent company, Provectus. It is based on distributed key management that encrypts Personally Identifiable Information and provides users with complete control over their data. If you are looking for a comprehensive long-term way to manage all of your sensitive data, we’d be happy to discuss how our GDPR by Design can work for you.