Mobile App Developers: Are You Developing a Secure Mobile App?
Who is asking? The U.S. Government. Specifically the Federal Trade Commission’s Bureau of Consumer Protection. With the continuing growth of mobile applications, the FTC has increased its awareness of the mobile marketplace. This increased attention is highlighted by the recent actions against mobile app developers (e.g. Credit Karma, Inc. and Fandango, LLC).
The two companies mentioned above were charged with misleading consumers into thinking that their respective apps were safe and secure when the FTC argued that the apps left “consumers sensitive personal information at risk,” essentially by failing to implement reasonable and standard safety measures. The FTC alleged that these developers disabled the Secured Sockets Layer or “SSL” encryption in their apps, causing data transmitted through the mobile applications to be susceptible to interception and misuse by attackers – an allegation that is especially targeted when dealing with mobile apps that frequently transmit data over public Wi-Fi networks.
So, how do you make sure your app is secure? The answer: it depends on the app. However, a couple good starting points are the FTC Business Center and the Open Web Application Security Project’s website. The latter includes the OWASP Top 10, a document produced by several security experts, that discusses the top 10 security risks for certain years (e.g. 2013: injection flaws, broken authentication and session management, etc.), and is designed to help developers create and maintain secure applications.
To be sure, the FTC isn’t looking for a 100% secure app, only a “comprehensive security program.” Without the latter, you and/or your company could be exposed to fines, regular (and costly) independent security assessments, litigation or other legal expenses, etc.). Take away: Do a risk assessment, mitigate risk in proportion to the app and the data being collected or transmitted, don’t misrepresent the security of your app, and put policies in place to continuously monitor security risks.