Mobile apps offer big opportunities for businesses in the digital age. According to research from Statista, international revenues from mobile apps will reach a staggering $935bn by 2023, up from $365bn in 2018.
However, the process of creating mobile apps is considerably different from the process of enterprise software development. For starters, mobile apps are usually cloud-native, designed for a range of different operating systems and devices, and dependent on Android and iOS back-end microservices.
At the same time, there is often pressure on software developers to create mobile apps securely and quickly. But how can they do these things while taking into account the unique requirements of mobile apps?
Today, mobile apps perform a significant role in businesses across all industries. But when they are left vulnerable to security issues and subsequently breached by cyber criminals, businesses can face major disruption to their everyday operations.
“The mobile app is no less important than any other component of your business, and harder-to-spot breaches to an app’s security could have a disastrous impact,” says Olexandr Leuschenko, head of mobile at Ciklum.
“The issue of security in mobile app development is often underrated, and engineering teams might rely on the standard levels of protection provided by Apple and Google. In reality, however, it is the developers’ responsibility to secure the applications they are building.”
Leuschenko’s view is that software developers should take steps to secure mobile apps at the beginning of their development. In particular, he recommends that developers integrate security assessments into the software development lifecycle, follow established security principles and use solutions with proven efficiency.
“As a minimum requirement, developers should follow the most straightforward security rules: obfuscate the code, disable JavaScript in web views unless explicitly required, don’t store sensitive information in plain text, and do not commit any sensitive information to the VCS [version control system],” he adds.
Olexandr Leuschenko, Ciklum
This view is backed by ESET security specialist Jake Moore, who says developers can prolong protection if they ensure app functions are secure in the early stages of development. But he admits that improving the security of mobile apps is difficult because of the sheer number of platforms and operating systems currently available.
Also, Moore points out that mobile app security can be problematic for developers because phone hardware ages rapidly. “Multifactor authentication, for example, is a simple way to help protect the account holders from rogue access across all platforms, regardless of device,” he says.
When creating mobile apps, developers should also implement safeguards for protecting user data, says Moore. “Data that is handled by the application needs to be stored in such a way that only authorised users are allowed access,” he adds. “Encryption helps with trying to reduce unauthorised access and can be designed into the app regardless of generation. Any data secured in the cloud requires robust protection, but is not defined by the app development.”
Moore says testing is another vital part of the mobile app development process, but warns that developers can struggle with this when dealing with multiple generations of hardware and operating systems. “Zero-trust security is also a solid security method whereby it assumes that nothing on a network is secure,” he says. “Therefore, only the least number of permissions are granted to a user or a machine, and only as needed, helping to protect itself.”
Responding to changing user needs
Mobile app development requirements are drastically changing because of different user needs, according to Amit Sharma, a security engineer at Synopsys Software Integrity Group. “To react to the ever-changing mobile ecosystem – including hardware, platforms, operating systems, and so on – the development community is focused on native libraries that can be used to streamline their work,” he says.
“Automation is key to meet the needs of the market. Native cloud technologies play a crucial role in providing feasibility to achieve this. Developers now have the luxury to simultaneously launch and test their apps on various platforms, providing greater scalability and reliability. What’s more, rapid software development and deployment is necessary.”
If organisations are to ensure that security is integrated from the inception of mobile app development, Sharma says it is essential to educate the development community about secure coding guidelines and encourage developers to perform regular tests in all phases of the development process.
“With the extensive use of third-party libraries in the mobile domain, there must be checks on the inherent risks of an application,” he says. “Regular scans checking for risks in third-party libraries and licence obligations is a must to be intact with the compliance procedures across platforms, operating systems, and so on.”
Application programming interfaces (APIs) developed for back-end communication are another challenge to overcome and must be tested from a security perspective, says Sharma. “Using appropriate cryptographic mechanisms to keep data secure at rest as well as in transit should also be considered,” he says. “Reviewing permissions contributing to the idea of zero trust is a good way to move forward in the direction of developing secure apps. Being aware is being secure.”
Reducing the security burdens of mobile app development
Supporting multiple operating system versions and devices is an arduous task facing app developers, admits Sean Wright, application security lead at Immersive Labs. However, he points out that newer mobile app development frameworks such as Cordova can ease this burden.
“The framework ends up abstracting most of this difficulty,” he says. “This allows developers to essentially need to maintain only a single application in terms of source code. However, ensuring that this framework is kept up to date is vital for ensuring that the application is kept secure.”
Wright notes how Android and iOS have come a long way in ensuring that developers create secure applications for their respective platforms. “A good example is TLS [transport layer security],” he says. “Later versions of both mobile operating systems handle most of the complexity, such as certificate validation, helping enable more secure apps.”
Developing mobile apps securely doesn’t deviate significantly from web-based applications, says Wright. “You still need to follow best practices, such as encryption at rest and in transit, use appropriate libraries and frameworks where possible, and, importantly, ensure appropriate security testing is carried out on released versions of mobile applications,” he says.
“There are, in fact, many similarities between mobile applications and modern web applications. The application interacts via APIs to obtain and process data used by the application.”
Practising secure mobile app development
Developers at 1Password view security and privacy as fundamental parts of the entire app development process. “They determine how we architect our apps, which features we implement and how we implement them,” says Michael Verde, Android development team lead at 1Password.
1Password practises the security-in-depth approach, protecting communication with its server through the use of multiple encryption layers. “We employ similar layers of protection in our apps by leveraging the security features of the platforms they are deployed on – cryptographic frameworks, sandboxing, trusted execution environments and more,” he says. “We also build our apps in layers, ensuring that the most sensitive information is only handled by the innermost layers of the apps.”
Michael Verde, 1Password
Another way that 1Password achieves secure mobile app development is by designing features that are easy to understand and difficult to misuse. “Whenever there are trade-offs between security and convenience, we favour security and give our customers the choice to enable the convenience features that are right for them,” says Verde.
“We use a common code base as the foundation of our apps to ensure that the most sensitive pathways in our code are robust and implemented the same across each app. Centralising this code helps us guard against common pitfalls, such as logging sensitive data or personally identifiable information. And importantly, it makes it easy for our security team to review any changes that are made.”
As well as ensuring that mobile apps are secure and that cyber criminals cannot breach them, businesses also need to release apps quickly to satisfy their customers and stay ahead of the competition. Len Welter, global product manager for the Bloomberg Professional mobile app, says: “Over the last several years, we have invested in our mobile infrastructure and platforms with the particular goal of speeding up development of our Bloomberg Professional mobile app – all without sacrificing performance or the native iOS/Android user experiences.”
Bloomberg is able to release app changes quickly thanks to its own mobile software development kit (SDK), says Welter. “The Mobile SDK creates a small set of performant, well-tested, reusable components which run natively on both Android and iOS,” he says. “This allows the user interface – and underlying business logic – to remain consistent, even as business requirements change.
“We can now quickly update our app to meet client demand. Our Mobile SDK has enabled us to ship relatively complex functionality to both iOS and Android in a matter of days or weeks, rather than months, as well as to accommodate a near-50% increase in usage of our mobile app during the pandemic.”
Mobile apps are a big deal for many businesses today. But what is clear is that mobile app development is a complex process comprising many different factors that developers need to understand. In particular, they must ensure mobile apps are secure and rolled out as quickly as possible. It’s fair to say these are prerequisites for successful mobile app development.