Brought to you by AVG Technologies, the provider of Internet and mobile security, privacy and optimization to 150 million active users. There’s nothing small about small business in our eyes. Get more information how AVG can help your small business stay protected – go to http://www.avg.com/us-en/internet-security-business. .
App Security Can Not Be Ignored: 12 Survival Tips for The Small Business Using and Creating Apps
The mobile app world is full of forks in the roads. The decisions that you take when using or developing apps for mobile devices determine the difference between a smooth ride and a possible data compromise. It’s been that way ever since manufacturers came up with the splendid idea of putting an entire computer system, which stores all your business’ personal data, into a compact device that you can carry as easily as you can lose.
Smartphone operating systems are getting more complex with each new version. As complexity increases, so does the necessity for responsibility within the user and developer communities. Users must learn how to tread carefully along a thin line that lies between complete vulnerability and some measure of safety, while developers have to learn to make apps that can protect their users’ private data.
As the owner of a small business, your job is to make sure that all the apps that handle your sensitive data protect your privacy and ensure that the possibility of a data breach is minimized. This applies to applications you get from other sources and those that you develop yourself.
First, let’s have a look at what you and your employees should do as an app user:
- Make sure you and your employees have an adequate antivirus software installed on your phones. In a small business environment, viruses and worms can creep in and infect other systems connected to a network.
- Use default channels for app downloads. If someone is using an iPhone, that person should be using the App Store to install apps. Android uses Google Play. As long as you and your employees stick to this, the possibility of malware infiltrating a phone becomes a bit lower. You can still get bad apps from default channels, though!
- Before putting an app into mainstream use in your business, make sure that you’re absolutely certain of what kind of data that app will have access to. If you don’t know this information, and you let the app loose around your business, it will eventually bite you back at some point in time.
- Make sure that your employees don’t send any data related to work through apps and to people that you didn’t authorize.
- Minimize the number of apps you run on your phone. Encourage employees to do the same. Running a smaller amount of apps gives you more control of your data and makes the phone run more smoothly.
When developing apps, the story changes. You have to take into account many factors to ensure that you produce an icon-clad app:
- Rather than using cloud providers, use internal storage as much as possible. The most sensitive data should be stored either on the phone or on a cloud server that your business owns and operates. Do not store data in third-party clouds. Write the app in such a way that it would prioritize internal memory for this kind of data.
- Don’t rely on write permissions. Just because an attacker cannot read something doesn’t mean he won’t be able to see if a particular entry in a database exists. This is how SQL injections happen. When developing Android apps, remember to use “android:exported=false” in the app manifest to make it impossible for other apps in the phone to use your app’s content provider. To prevent injections, it’s important to encrypt important SQL data you store (such as passwords and internal memos). Also, make the structure unpredictable (name “phone numbers” something like “phnnr”).
- Avoid developing an app that requires permissions in the host operating system. A phone becomes vulnerable when it gives permissions to apps, allowing unauthorized persons to exploit those permissions.
- To avoid possible sniffing, develop your business’ app with a preference for HTTPS transactions, rather than HTTP. Also, avoid sending data through “localhost,” since other apps might be sniffing the data that comes through here.
- Avoid sending SMS messages through the app unless absolutely necessary. In the case of any potentially sensitive data, avoid the SMS protocol at all costs.
- If you need a GUID, create a unique number rather than using the phone’s IMEI number.
- Never leak user info to any logs shared with other apps.
This is a lot to take in, but it guarantees that your business will develop the safest possible app for any phone operating system. Don’t forget to guide your employees through the process of ensuring safety on their phones, preventing a disaster from ever happening.