Don’t rely on a platform alone to protect your users
Platforms may offer features to make security easier, but it’s up to you to understand them. Use them properly, and explain them to your users in everyday language.
Create secure user credentials
If your app requires that users create usernames and passwords, make sure that these credentials are secure and appropriate to the nature of your app. For example, a social networking app would require a higher level of authentication (password strength requirements) than a gaming app.
Encrypt any data that is transmitted
Use transit encryption (SSL/TLS in the form of HTTPS) to secure usernames, passwords, API keys and any other important data that is transmitted from a device to your server. This is particularly critical because many users use un-secured public WiFi networks to access apps. If you use HTTPS, use a low-cost digital certificate from a reputable vendor and ensure your app checks it properly.
Exercise caution and use due diligence on libraries and other third-party code
Third-party libraries can save time, but keep your ear to the ground. Does the library or SDK have known security vulnerabilities?
Consider protecting data you store on a user’s device
If a user’s device becomes infected by a virus or malware, or they lose their device, think of ways you can help them protect any personal information that your app handles. Encryption is one option. Some platforms have their own storage schemes for protecting sensitive user data such as passwords and keys – use them.
Protect your servers, too
If you maintain a server that communicates with your app, take appropriate security measures to protect it. If you rely on a commercial cloud provider, understand the divisions of responsibility for securing and updating software on the server.
Don’t store passwords in plain text
Protect user passwords by avoiding plain text storage on your server. Use an iterated cryptographic hash function to hash users’ passwords and then verify against these hash values. (Your users can simply reset their passwords if they forget.)
You’re not done once you release your app. Stay aware and communicate with your users
Once your app is out there and available for download, stay involved with its security. Update security libraries, push updates out to users, and use user feedback to help you spot and fix vulnerabilities.
If you’re dealing with financial data, health data, or kids’ data, make sure you understand applicable standards and regulations
If your app deals with kids’ data, health data, or financial data, ensure you’re complying with relevant rules and regulations, which are more complex. The FTC offers details on the regulations that your business needs to be aware of in the following guides:
The Bottom Line: One Size Doesn’t Fit All
There are no hard and fast rules for app security. The FTC clearly states that it expects app developers to shoot for reasonable data security practices and doesn’t prescribe a one-size-fits-all approach. For example, if you are developing a basic app such as an alarm clock or flashlight that collects little or no data, then this is going to raise fewer security considerations than a location-based social network or, let’s say, a health-monitoring app. These apps may use remote servers to store user data, and as a developer you’ll need to secure your app from end-to-end. This includes the software, as well as data transmission and servers.
|The following is an excerpt taken from the article, “Developing a Mobile App? Follow These 12 Tips for Protecting and Securing User Data .” For more information please visit www.sba.gov.