Security in apps

Checkmarx recently published a research report covering the State of Mobile Application Security 2014-2015. The report states that the level of security in both Android and iOS apps are surprisingly low and that developers lack awareness when it comes to implementing secure coding best practices. Here is our view on the report.

The question about security and users’ privacy are increasingly being discussed, and though we agree that it is a very important aspect of our work with app development, it’s also a muddy field of different perspectives and interests that all should be taken into account to get the full picture.
The Checkmarx report › claims that, despite of Apple’s more restrictive control with apps (reviewing apps before they are released through App Store, for instance) the iOS platform is not more secure than the Android platform. We do not entirely agree. On the contrary, we believe that in general, iOS as operating system is more secure than Android when it comes to protecting users’ private data. This is supported by the fact that Apple’s CEO, Tim Cook, in several cases has underlined › how Apple prioritize to protect user’s privacy.
However, we do agree with the report that when it comes to third party apps, iOS is just as insecure as Android. Numerous cases have demonstrated how apps with serious security flaws are released and used by millions of users. The dating app Tinder is a great example: An important feature in Tinder is to show users how close they are to each other geographically, but always in rough numbers. However, in 2013 researchers found › that the Tinder servers were actually giving very detailed information about exactly where users were located. Security flaws like this are frequent, and neither Apple nor Google can fully prevent third party apps from containing them. However, developers can, and should, address these flaws, before they become real issues.

Safety always depends
trying to protect, usability and how much time you have got to develop on it. For instance, to ensure a good user experience, we generally only ask users to log into an app the first time they open it. However, to protect user credentials, the log in information should not be saved locally on the phone. The degree to which we include and increase safety measures in our apps also depend on the specific product. We might build apps in which safety are not a vital component, since we are working with quite insignificant data, while in other cases it might be an important part of the development process to protect personal information such as usernames, passwords etc. We believe that developers should always assume that the app itself cannot be trusted, due to the fact that an app can be manipulated with by its user. Instead, safety measures should be incorporated in the backend system, which, presumably, can be trusted since servers are protected by various security measures that prevent unauthorized third parties to access them.

iOS and Android both try to protect the users
From a user perspective, it is also worth mentioning that neither Apple nor Google have left their users completely to the mercy of developers when it comes to security. Android devices has an in built app -Google Play Services- that detects malware in recently installed apps. Many users are not aware of Google Play Services, but it is automatically updated and serves as protection against third party apps. And with iOS 9, Apple has introduced App Transport Security which ensures that communication in iOS 9 by default conform to certain practices that ensure a secure connection between an app and its back end system. This should prevent unintended disclosure of private information through apps. In this way, Apple meets the Checkmarx report’s takeaway about integrating “secure coding best practices into the development life cycle.”
However, these measures does of course not change the picture for users who are worried about how companies they trust are in fact treating their data.

Checkmarx’ report claims that the iOS and Android platforms are equally insecure and that is, in our opinion, not the entire truth. But at the same time, the report’s key takeaways basically call for developers to take responsibility for users’ security and privacy. And this is a far more essential point that we believe all developers should take note of. If you’re interested in knowing more about security in apps, we recently contributed to a Danmarks Radio special about just that.
22 Dec 2015