Jump to Main Content
USA flagAn Official Website of the United States Government
Starting a Business

Blogs.Starting a Business

Register

Developing a Mobile App? Follow These 12 Tips for Protecting and Securing User Data

Comment Count:
19

Comments welcome on this page. See Rules of Conduct.

Developing a Mobile App? Follow These 12 Tips for Protecting and Securing User Data

By Caron_Beesley, Contributor
Published: May 29, 2013

SBA Mobile AppSmartphone and tablet users will download 70 billion apps this year, according to an estimate by ABI Research. And the total global mobile app market is expected to be worth $25 billion by 2015 reports TechCrunch.

If you have an idea for a marketable app or are currently developing one, then the world may just be your oyster. But before you take your app to market and get it accepted by an app store, the Federal Trade Commission (FTC) wants to ensure that your security policies are up to scratch and that you have taken the right measures to protect the data that your users share with you.  

Why? Apps and mobile devices often rely on consumer data – including contact information, location, photos, and so on – all of which can be vulnerable to data breaches, digital snoops and regular theft. In fact, MarketsandMarkets cites the risk of data theft through delivery of phishing and spyware in mobile apps as the biggest downside to the growth in available apps.

The FTC offers the following 12 tips to help developers approach mobile app security:

1. Appoint a security lead

Your development team should include at least one person responsible for considering security at each stage of your app’s development. If you are a solo entrepreneur, then that person is you.

2. Review the data you intend to collect and maintain

Don’t collect or keep data that you don’t need. If you don’t need user’s contact info, don’t collect it. Likewise, don’t keep user data any longer than you need to – including location data.

3. Understand the differences between mobile platforms

Each mobile operating system uses a different application programming interface (API), which includes different security features and permission handling. So don’t just assume one size fits all; adapt your code accordingly.

4. Don’t rely on a platform alone to protect your users

Platforms may offer features to make security easier, but it’s up to you to understand them. Use them properly, and explain them to your users in everyday language.

5. Create secure user credentials

If your app requires that users create usernames and passwords, make sure that these credentials are secure and appropriate to the nature of your app. For example, a social networking app would require a higher level of authentication (password strength requirements) than a gaming app.

6. Encrypt any data that is transmitted

Use transit encryption (SSL/TLS in the form of HTTPS) to secure usernames, passwords, API keys and any other important data that is transmitted from a device to your server. This is particularly critical because many users use un-secured public WiFi networks to access apps. If you use HTTPS, use a low-cost digital certificate from a reputable vendor and ensure your app checks it properly.

7. Exercise caution and use due diligence on libraries and other third-party code

Third-party libraries can save time, but keep your ear to the ground. Does the library or SDK have known security vulnerabilities?

8. Consider protecting data you store on a user’s device

If a user’s device becomes infected by a virus or malware, or they lose their device, think of ways you can help them protect any personal information that your app handles. Encryption is one option. Some platforms have their own storage schemes for protecting sensitive user data such as passwords and keys – use them.

9. Protect your servers, too

If you maintain a server that communicates with your app, take appropriate security measures to protect it. If you rely on a commercial cloud provider, understand the divisions of responsibility for securing and updating software on the server.  

10. Don’t store passwords in plain text

Protect user passwords by avoiding plain text storage on your server. Use an iterated cryptographic hash function to hash users’ passwords and then verify against these hash values. (Your users can simply reset their passwords if they forget.) 

11. You’re not done once you release your app.  Stay aware and communicate with your users

Once your app is out there and available for download, stay involved with its security. Update security libraries, push updates out to users, and use user feedback to help you spot and fix vulnerabilities.

12. If you’re dealing with financial data, health data, or kids’ data, make sure you understand applicable standards and regulations

If your app deals with kids’ data, health data, or financial data, ensure you’re complying with relevant rules and regulations, which are more complex. The FTC offers details on the regulations that your business needs to be aware of in the following guides:

The Bottom Line: One Size Doesn’t Fit All

There are no hard and fast rules for app security. The FTC clearly states that it expects app developers to shoot for reasonable data security practices and doesn’t prescribe a one-size-fits-all approach. For example, if you are developing a basic app such as an alarm clock or flashlight that collects little or no data, then this is going to raise fewer security considerations than a location-based social network or, let’s say, a health-monitoring app. These apps may use remote servers to store user data, and as a developer you’ll need to secure your app from end-to-end. This includes the software, as well as data transmission and servers.

Related Articles

 

 

About the Author:

Caron Beesley

Contributor

Caron Beesley is a small business owner, a writer, and marketing communications consultant. Caron works with the SBA.gov team to promote essential government resources that help entrepreneurs and small business owners start-up, grow and succeed. Follow Caron on Twitter: @caronbeesley

Comments:

Smartphones today have a lot of pieces of code, you can select the products that really likes. Nokia, Samsung, Apple .... is the strongest company in the smartphone market
Hey Caron, thks for the tips. So important for every app developer. Mobile apps are growing extremely fast and security issues are constantly changing. Nice reading. Regards, Dianne
Thanks! You know, Android is extremely popular nowadays and you will definitely be challenged to apply the same things in other platforms besides iOS. Data concern will always be a major issue now technology is all connecting us and data is easier to access/obtain.
Great thoughts! You can never be too careful. There is so much hacking and fraud going on that you have to think about peoples security and take it very seriously as a developer. Thanks for the advice!
This is great information for those with the skills to code and develop their own mobile app. For those who aren't as skilled, or find these restrictions daunting, there are several app platforms out there, many of which are code-free and will adhere to these regulations. This post was edited to remove a disclaimer. Please review our Community Best Practices for more information about how best to participate in our online discussions. Thank you.
I work for a software developer and it's extremely important to use to protect our customer's data. We have worked hard to ensure our systems are secure and meet stringent requirements. Our system is both NIST and Safe Harbor certified. Unfortunately, with the rise of the 'get rich by programming iPhone apps" mind set, many developers don't take this into account. The above list is just the tip of the iceberg. One of the surprising things we found as result of our NIST certifications, is that it brought us new customers. When they ask if we are certified and we answer Yes, it breaks down concerns and barriers to the sale. So don't neglect paying attention to security. Thanks for the info!
Aw, this was a really quality post. In theory I’d like to write like this too – taking time and real effort to make a good article… but what can I say
Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon
Thanks for the point, the security of an apps should be reviewed time to time in order to secure user confidentiality. Of course there is still a loophole in data security but just try to minimize the risk.
The security taboo phone that I've ever known is the process of sharing information. If you think that all the information in your phone's confidential, it will kill you anytime. Nothing more secure when using the IOS security.

Pages

Leave a Comment

You must be logged in to leave comments. If you already have an SBA.gov account, Log In to leave your comment.

New users, Register for a new account and join the conversation today!