Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:55 AM
Charlie Fairchild, WillowTree
Charlie Fairchild, WillowTree

Mobile App Development: 5 Worst Security Dangers

Address these areas when building apps -- or brace yourself for a PR and liability nightmare should an attacker find and exploit a flaw.

Most people aren't thinking about security and data privacy when buying a scone at Starbucks with their phones, playing Angry Birds while commuting, or using whatever clever app is the cornerstone of your digital business strategy. If they give security any thought, they figure the developers took care of all that for them. The app is from a reputable company, and they got it from the app store -- or even directly from their employer. What could go wrong? A lot.

The global mobile infrastructure is a complex, interconnected, and desirable target. Companies must tackle potential security problems when formulating a B2B or B2C mobile strategy. While security particulars vary widely, depending on the type of app being deployed, it's up to IT leaders to ensure that user convenience never trumps protection of valuable enterprise or consumer information.

Data collection is a popular function in both platform-specific and browser-based apps, according to a recent InformationWeek mobile application development survey. Better make sure you secure those forms.

1. Insecure data storage
The Starbucks mobile app is one of the most widely used mobile payment apps in the US. Consumers simply enter their passwords once when activating the payment portion of the app and use it again and again to make unlimited purchases without having to re-input their password or user name.

While that might be convenient for a caffeine-starved public, Starbucks recently confirmed that its app was storing usernames, email addresses, and passwords in clear text. That allowed anyone with access to the phone to see passwords and usernames just by connecting the phone to a PC. Clear text also displayed users' geo-location tracking points. With this information in hand, unauthorized individuals would have the credentials to log in to the Starbucks website as well. It's common for users to employ the same username and password across systems, so if someone compromises that particular password, the potential also exists for them to compromise additional user accounts.

Design apps in such a way that critical information such as passwords and credit card numbers do not reside directly on a device. If they do, they must be stored securely. For iOS, passwords should be stored within an encrypted data section in the iOS keychain. For Android, they should reside within encrypted storage in the internal app data directory, and the app should be marked to disallow backup.

Read the rest of this article on InformationWeek

Register for Insurance & Technology Newsletters