It is a generally accepted notion that no app is hack-proof so you may think that the title of this post is misleading. However, the intention here is not to do the impossible but to at least get close to what is practically achievable when it comes to making apps safer and more secure not only for the users but also for the servers (if applicable) to which the apps connect or synchronize with.
The following are important pointers to remember in making an app safe and secure against all types of hackers:
1. Reminding Users of Their Responsibility
In many cases, even the most secure apps become less secure because of their users. In the case of banking apps, for instance, passwords and other delicate information get stolen because of user negligence. That’s why it is a good idea to set some reminders within the app to encourage users to be more careful in the way they use their apps. On the login page, for example, brief pointers on securing login details can be posted. The app may also alert the user of the password used is too weak. Likewise, the app can be made to suggest password changes if the passwords used are too short or too simple.
2. Multi-Stage Login and Verification
Usernames and passwords are the first line of defense in app’s that involve logins. As such, the login process should be made highly secure. It should be very difficult to steal these important account details. One of the most effective ways in securing usernames and passwords is the use of multi-stage logins or account verifications. Also referred to as multi-factor authentication, this means the use of a login process that is not just about inputting the username and password. Additional factors such as a transaction password, an automatically generated unique PIN for every login, pattern, and other factors that only the user knows or has access to.
Smartphones like the Galaxy Note 3, iPhone 6 and 6 Plus, and Galaxy S5 already come with fingerprint scanners. Developers who are producing apps for these and other fingerprint scanning capable devices are advised to make the most of the feature for added app security.
Additionally, incorporating the use of a Content Delivery Network (CDN) can also contribute to making an app more secure. But what is a cdn? In simple terms, a CDN is a network of interconnected servers that speeds up webpage loading for data-heavy applications. So, how can the use of a CDN make an app more secure? The main reason is its distributed network. CDNs have numerous servers across the world, and this widespread distribution plays a crucial part in reducing Distributed Denial of Service (DDoS) attacks. In turn, the use of a CDN improves an app’s availability and resilience to any hacker attacks.
3. Time Out Log Out
Apps should also be made to automatically log out or disconnect from the Internet if they are idle or at least allowed to have the option to do this. This is compulsory for banking and other critical online accounts. A session should be made to expire after a specific short period of being idle. Obviously, this is meant to prevent unauthorized access to the account while it is unattended but open, accessible, and modifiable.
4. Avoiding Too Detailed Error Messages
The error messages displayed when they are encountered by an app should not provide a comprehensive detailing of what happened to the application. The details shown should not be useful to hackers who are out to exploit any and all kind of vulnerabilities that can be exploited. Error messages are meant to guide developers in addressing problems, not to guide hackers on which specific parts of an app are vulnerable.
Read also: Demystifying App Development for Small Business Owners
5. Warning Users of Account Access from Unusual Addresses
Facebook and Google already provide the facilities for this kind of security measure. In the case of Facebook, identity verification is required when accessing an account from a different computer or smartphone (having an IP address that is new to the account). This verification is being required even when the right login details are entered. This is a very useful method app developers should always consider. With this, even if the usernames and passwords are stolen, these usernames and passwords are still useless since an additional verifying or authenticating factor will be required.
6. Limiting Allowable Incorrect Username and Password Entry
There should be at most number of unsuccessful login attempts to be permitted in an app. Otherwise, hackers can use bots or other tools to automate the process of guessing the username and password combination that open an account. Exceeding the allowable number of unsuccessful login attempts can mean the locking of an app or it can simply prevent further login attempts for a certain period.
7. Software Code Evaluation or Review
Developers or development teams are expected to do a code review every time an app is completed. However, this may not be enough, especially for apps that are intended for critical or delicate functions. It can be helpful enlisting the help of third party providers or code review solutions. These code reviews can help efficiently and effectively uncover application-layer flaws and vulnerabilities. It’s very important to ensure the integrity of an app so spending for code reviews is not really unnecessary. At the very least, it is something supplementary or complementary to developer efforts in ensuring app integrity, security, and proper functioning.
Conclusion
Again, it is impossible to make an app totally hacking-invulnerable. However, this does not mean that efforts should no longer be undertaken to at least make hacking success less probable. The tips mentioned above are very simple and free to implement so there should be no reason not to try them.
I am in the middle stages of developing an app that does in fact, contain user login and really appreciate your thoughts and ideas on insuring security. Thank you very much, I will be back in the future to see what else I can find to improve my programs.
Code review is so important, especially if you are using open source components. Since open source components are updated so frequently, you want to make sure your app is always running the newest version with the fewest security flaws.