App security is becoming more important as time passes, both due to the prevalence of their use, and the exploitation of apps by malicious parties. One of the greatest threats to app data is the use of “man-in-the-middle” attacks, in which data is intercepted while in transit (from the app to a server, or from the server to a user’s app). Below is a list of some of the more common methods to secure data in this state. While this is, by no means, a complete list, it will give you an idea of some of the tools good app developers will use to make sure that, at a basic level, the data used in the app is not easily accessible to non-users (or the wrong users, as the case may be).
Securing the connection
The first step to ensuring data security is to ensure that the connection between your app and the server is secure and encrypted. The standard protocol is referred to by the following acronyms: SSL stands for Secure Sockets Layer, and TLS for Transport Layer Security. The two are (now) often used interchangeably: SSL was originally created by Netscape (later acquired by AOL) but widely used throughout the web and app landscape, and so the acronym was changed to avoid this ownership conflict. TLS was an expansion based on SSL 3.0, so TLS 1.0 is often referred to as SSL 3.1 (the latest version is TLS 1.3, though it has not been finalized; 1.2 is still widely used and is supported by all the major browsers as of April 2016).
SSL or TLS is then used over a transfer protocol to create a secure connection. Commonly, this is done over an FTP (File Transfer Protocol), SMTP (Simple Mail Transfer protocol; for e-mail), or HTTP (HyperText Transfer Protocol) connection. The HTTPS (HyperText Transfer Protocol, Secure) acronym refers to a standard HTTP connection that is established via SSL or TLS.
Most websites and apps use some type of user identification to allow the user to operate securely within the environment and to more easily store and retrieve the data associated with that user. The issue then becomes: how to keep the user’s information secure? as knowing this would allow access to all the user’s transactions and stored data.
In addition to ensuring that this information is encrypted (or hashed) and not stored directly, the use of sessions, cookies, and tokens can ensure that the user is not too often troubled to re-authenticate while maintaining security for the user’s account. These three tools can be configured, for example, to expire after a given amount of time, or when the user becomes idle, thus ensuring that another person can’t easily hijack a user’s session, or have access to secure data if a user’s device falls into the wrong hands.
Tokens are becoming the more popular tool to use in this regard, as it allows for a greater amount of data to be stored securely, and is only stored client-side. This limits the amount of data is being sent; which not only aids security but reduces the load on the server, allowing your app to run a bit faster as well. Tokens can also be easily limited to a single sub-domain, allowing it to be secure to not only a single site but also to a limited section of the site. It can also be easily limited to a single protocol (HTTPS, for example), which can prevent cross-scripting exploits.
Secure data requests
Most data-driven apps will access some form of database to store and retrieve information. To do this, your app will make use of SQL or Specified Query Language, which allows you to write simple statements to add, modify, and view information in the database. SQL injection is a well-known exploit that uses knowledge of SQL statements to manipulate and obtain more information from the database than you would want to allow to your users and can have consequences from less malicious sources as well, such as the accidental deletion of some portion of the database.
A parameterized query (or prepared statement) eliminates this problem by pre-coding the statements that you will use in your app, and only allowing the user to specify a small number of parameters (variables). Beyond the obvious security benefits, using prepared SQL statements can also lead to faster execution times, as multiple queries using the same prepared statement are pre-compiled, and fewer data (smaller strings) are being sent across the app/server connection. This can also eliminate the need for some of the string manipulation (manual string escaping) that would otherwise need to be written into the code to prevent errors from user input containing special or unexpected characters.
These are some of the ways to protect data while in transit between your app and your servers, which is of major significance. If a lot of user data is stored in the app itself, encrypting the data while in storage would also be prudent, but it is in transit when app data is most important to secure, as it is then that your data is at the greatest risk of being hijacked or compromised.
Digital Fractal Technologies is an Edmonton, Alberta-based software development company that focuses on data-driven mobile applications. We develop both cross-platform apps (using Ionic, Xamarin, and other technologies) as well as native mobile applications. For a free consultation, please contact us.