Our Top 12 Tips to prevent hacks and security breaches on your mobile app
With the recent hacker attack that breached the security of the Starbucks app, it has brought to light the importance of implementing all the measures necessary to ensure security for your mobile app.
Based on the extensive experience of our team here at TheAppLabb in building secure mobile apps, we have compiled a list of different practices that mobile apps can incorporate to prevent hacks and security breaches:
1. Single SignOn: The user should be able to sign in from only one device at a single point of time.
2. OAuth: We can provide a 3 layered security to the user between the back-end application and the front-end mobile app through OAuth implementation (as implemented with apps like twitter and Instagram). OAuth is basically an authentication protocol that allows users to approve the application to act on their behalf without sharing their password. Additionally we can protect the web services with rate limit functionality in order to protect from over-hitting of the server. Rate limiting helps control the rate of traffic sent or received by a server or network.
3. Single Sign on with OAuth: To enable users to have more secured transactions from only one place at a single point of time, we can integrate Single Sign on Mechanism with OAuth functionality.
4. Registration: To prevent registration of fake users, and fake user information, we can implement Email verification and Captcha. One-time password (OTP), which is a password valid only for one login session or transaction, can also be implemented.
5. Encryption: All the important data that is transferred between the mobile application and the Server should be in an encrypted format. This means that the data on the network layer even if accessed from outside won’t be in a readable format. RSA and SHA encryption techniques are effective techniques for the same.
6. WhiteList IP: To prevent in-house applications and Enterprise Applications from being accessed from outside, it is essential to whitelist the IP address as a check point.
7. Https: All the data that is associated with commercials should be transported on the Https layer.
8. Touch ID: In iOS, Touch ID mechanism can e integrated, as an authentication to prevent the app form being used by unknown users even if the phone is lost.
9. Analytics: It is important to keep a track of all app related activities through analytics. It is useful to track the app usage, as well as track the IP and method of each transaction. For e.g., Utilizing test fairy we can track activities as screenshots along with internet provider information and timestamp.
10. Two Factor Authorization: In case of mobile transactions, two-factor authentication can be instituted into the app, requiring a person to enter a separate code before making changes to the account. That way the user will need to validate account changes and or be tipped off to activity in their account.
11. Block Access: If too many incorrect password attempts have been made, then the app should block access to the account in order to prevent brute forcing.
12. Terms & conditions: Especially for apps which feature purchases utilizing mobile wallet, it is important to have terms and conditions in place to bind the fraudulent user. So that if a user is flagged for making fraud activities, then legal action can be undertaken against the user.