What are the FTC's Top 12 Tips for Mobile App Developers?

1.       Make someone responsible for security. Responsible Party:  Your team should include at least one person responsible for considering security at every stage of your app’s development.  If you’re running a solo operation, that person is you.  If you’re running a large company, the responsible should be reporting to an officer of the company.  It’s easy to assume someone else is handling security — whether that someone is a mobile operating system provider, a device manufacturer, or another member of the development team.  It’s true that everyone has a role to play, but as the developer, you’re the final line of defense.

2.       Take stock of the data you collect and retain. Minimize Practice data minimization: Don’t collect or keep data you don’t need.  For example, if your photo-editing app doesn’t require access to a user’s contact info, don’t ask for it.  Simply put, data you don’t collect is data you don’t need to worry about protecting.  Avoid keeping data longer than you need to.  For example, if you offer a location-based mobile game, get rid of the location data when it’s no longer relevant.

3.       Understand differences between mobile platforms. Research the mobile platforms:  Each mobile operating system uses different application programming interface (APIs), provides you with different security-related features, and handles permissions its own way.  Don’t expect that one platform works exactly like another.  Do your research and adapt your code accordingly.

4.       Don’t rely on a platform alone to protect your users. Protect Users:  Mobile platforms often provide helpful security features, but it’s your job to understand those features (and their limitations), implement them properly, and take other measures necessary to protect your users.  In addition, while platform-based permissions might be helpful in conveying security information to your customers, they’re no substitute for your own effective communication.  Talk to your users in your own words.

5.       Generate credentials securely. Create and Update Credentials:  If you create credentials for your users (like usernames and passwords), create them securely and update them from time to time.  For example, a short number string might be an appropriate token for authenticating a user on a game score board, but the same credential wouldn’t be appropriate for a social networking app.

6.       Use transit encryption for usernames, passwords, and other important data. Encryption is a Necessity:  Anytime your app transmits usernames, passwords, API keys, or other types of important data, use transit encryption.  Mobile devices commonly rely on unsecure Wi-Fi access points at coffee shops, airports, and the like — and it’s easy for troublemakers to snoop and intercept connections.

To protect users, developers often deploy SSL/TLS in the form of HTTPS.  Consider using HTTPS or another industry-standard method.  There’s no need to reinvent the wheel.  If you use HTTPS, use a digital certificate and ensure your app checks it properly.  A no-frills digital certificate from a reputable vendor is inexpensive and helps your customers ensure they’re communicating with your servers, and not someone else’s.  But standards change, so stay up to date on current technologies, and make sure you’re using the latest and greatest security features.

7.       Use due diligence on libraries and other third-party code. Due Diligence Required:  Before using someone else’s code to build or augment your app, do your research.  Does this library or SDK have known security vulnerabilities?  Has it been tested in real-world settings?  Have other developers reported problems?  Third-party libraries can save time, but make sure you stay accountable for your app.

8.       Consider protecting data you store on a user’s device. Secure and encrypt Consumer Data:  If your app handles personal information, protect or obscure the data — for example, by using encryption.  Some platforms have special storage schemes for sensitive data like passwords and keys.  Use them if they’re available.  This helps protect your users in the event of viruses, malware, or a lost device.

9.       Protect your servers. Secure your Server:  If you maintain a server that communicates with your app, take appropriate security measures to protect it.  If you rely on a commercial cloud provider, understand the divisions of responsibility for securing and updating software on the server.  While some commercial services will monitor and update your servers’ security, others leave you in control. 

Server security is its own complex topic, so do your research.  Take steps to protect yourself from common vulnerabilities, including injection attacks, cross-site scripting, and other threats.

10.     Don’t store passwords in plaintext. Secure Passwords:  Don’t store passwords in plaintext on your server.  Instead, consider using an iterated cryptographic hash function to hash users’ passwords and then verify against these hash values. (Your users can simply reset their passwords if they forget.)  That way, if your server suffers a data breach, passwords aren’t left completely exposed.

11.     You’re not done once you release your app.  Communicate with Your Users:  Even after you ship your app, stay involved.  New vulnerabilities arise daily, and even the most reputable software libraries require security updates.  Follow general and library-specific mailing lists and have a plan for shipping security updates if needed.

Check your inbox, too.  User feedback can help you spot and fix security vulnerabilities.  When they discover vulnerabilities, researchers often try to resolve the issue with developers before publishing their findings.  It’s best to be part of that discussion early on.

12.     Highly Regulated Data Deserves Special Safeguards. Financial data, health data, or kids’ data:  If your app deals with kids’ data, health data, or financial data, ensure you’re complying with relevant rules and regulations, which are more complex.

Other recommendations by the FTC are that app developers evaluate the mobile ecosystem:

•         App developers can code quickly with the support of powerful software development kits (SDKs). However, a rush to release may result in dangerous security oversights.

•         Popular app stores can introduce apps to millions of users, and can lead to overnight popularity and failure.  Remember the bigger the user base, the greater the need for strong security. 

•         Ready-made software libraries and cross-platform toolkits can provide a head start in the development process.  However, as a developer, you are your app’s last line of defense, determining what goes in it and how it performs.

•         Mobile devices offer an array of exciting technologies. GPS receivers, cameras, and sensors let you create a unique experience for users.  But mobile users often rely on insecure Wi-Fi networks.  Low-tech threats — like loss and theft — raise the security stakes.  Balance these features and risks to protect users’ personal information and your own business reputation.

 

Mobile app developers should also make their privacy policies easily accessible through app stores and improve their coordination with advertising networks, analytics firms and other third parties that provide services for apps so that the developers can better understand the software used by the third parties and provide accurate privacy information to users.

 

For more information, see here:  www/ftc.gov

 

These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only.  No Claim to Original U.S. Government Works.  This may not be the most recent version.  The U.S. Government may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.