When apps are developed in a hurry and not properly put through their paces, the risk of something going wrong is high, as the Iowa Democratic Party just learned to its cost. Creating secure, fully functional mobile apps takes time and requires stringent testing. In the aftermath of the delayed results for Iowa’s Democratic presidential caucuses, it emerged that the app used to tabulate the votes was inadequately tested.
Leaving the politics and possible motives aside, cybersecurity professionals everywhere were left aghast at the rushed development. Sadly, this is nothing new, as mobile apps are often released with bugs and vulnerabilities in them. When Kryptowire analyzed the preinstalled apps on Android phones from 29 different manufacturers last November, it found 146 vulnerabilities.
We’re talking about issues on brand-new phones out of the box, before the owner even installs anything.
The potential risk to companies and their customers is enormous, especially at a time when data privacy is becoming a bigger issue, tighter regulations are bringing stricter penalties and public expectations are shifting. Any organization developing an app or engaging a third party to do it for them must consider security and include provision for proper in-depth testing.
Think about security from the start
All too often, security is an afterthought that comes at the end of development. It needs to be considered and built into the development process right from the outset with a documented secure development life cycle plan (SDLC). Make sure that you consult with cybersecurity professionals during the design phase. It’s vital that the people you hire have relevant expertise in mobile apps and that you empower them to influence design and development as necessary to ensure its integrity by following the documented plan.
Consider the types of data the app will deal with and insist that end-to-end encryption is built in. Restrict access wherever possible and think about two-factor authentication. Don’t forget about compliance, as regulatory requirements are evolving rapidly now.
It will be far easier and smarter to build all of this right from the start than to try to retrofit.
Build in analytics
Taking time to build in analytics right from the beginning will also pay dividends. You’ll want to ensure that any mobile app you develop is fit for a purpose and fulfills the original brief, so you must be able to analyze the way it’s being used. Analytics also offers major benefits for future app updates in terms of improving the app’s efficiency and user experience.
A robust monitoring system can also be enormously useful when it comes to security testing. Detailed reporting from apps allows developers to trace issues back to the source and understand where vulnerabilities lie so they can fix them. The more detailed the logs, the easier it will be for developers to squash bugs and potential exploits.
Plan comprehensive testing
Part of the importance of considering security from the start of development is that you can design and implement a testing plan from day one. The adage about how much cheaper and easier it is to fix problems the earlier you catch them still holds true.
Running all kinds of different tests, many of them automated, should be a natural part of your development process. Unit testing and internal bug hunts are not enough, though.
For mobile apps designed to deal with sensitive data, you need to engage external security experts to conduct authenticated application penetration testing. In the case of a mobile app designed to tabulate voting results, a period of open testing by the broader cybersecurity community is advisable.
The more help you can get to uncover vulnerabilities and flaws, the better. It’s also crucial to employ some third parties without a vested interest in the mobile app development. You need security experts who are free from the pressure to deliver on a deadline so that you can get an impartial assessment.
While test environments can be useful, try to make sure you conduct the bulk of testing on the devices and platforms your end users will be using. Emulators and other shortcuts can mask potential issues.
Remediate issues and test again
Uncovering any vulnerabilities is only the first step; you also need to fix what you find. A risk assessment of each problem your testers encounter will help you to triage the issues. Expect several rounds of remediation and further application testing before you can be confident that vulnerabilities have been dealt with effectively and that the fixes employed haven’t introduced new bugs.
Mobile app testing should be an ongoing activity with provision to update and improve the app for the full length of its expected useful life cycle. It’s important to understand that no matter how stringent your testing, releasing an app to a wider community, whether it’s for a beta testing period or the final release version, is going to reveal new issues. It’s smart to provide an easy way within the app for users to report any bugs or other problems they encounter so the development team can investigate.
Best practice takeaways
Here’s a quick checklist to help you keep the salient points in mind:
• Build out an SLDC.
• Test as early and often as possible.
• Build in analytics and comprehensive reporting.
• Don’t rely on unit tests and automated testing alone.
• Employ third parties and external testers.
• Test on real-world devices and platforms.
• Focus on fixing the biggest vulnerabilities first.
• Test again to verify fixes and ensure new issues haven’t been introduced.
Ultimately, you need to be confident about your app’s functionality and security before you allow it to roll out, and thorough testing is the only way to gain that confidence.