12 tips toward kick-app mobile security

Before you start marketing your app, let’s go through the TO DO list.

Does it deliver on what you say it can do?  Check.
Have you thought through your marketing strategy?  Check.
Does it look like app stores might be interested?  Check.
Ready?  Not so fast.  There’s an indispensible step you may be overlooking.  But there’s good news:  The FTC has 12 tips to make that task easier.

The essential component is, of course, security.  There’s no one-size-fits-all approach — different apps raise different considerations — but the FTC’s new publication, Mobile App Developers: Start with Security, has advice to help you offer users a more secure experience.

First things first.  Before you get down to the nuts and bolts of data security, consider some suggestions on how to evaluate the ecosystem, including the use of cross-platform toolkits and the different kinds of functionality that could raise the security stakes for your app.  Read the brochure for more detail, but here are a dozen hints about what you’ll find when you dive in:

1.   Make someone responsible for security.  Of course, if you’re running a solo operation, the buck stops with you.

2.   Take stock of the data you collect and retain.  Practice data minimization.  Don’t collect or keep information you don’t need.

3.   Understand differences between mobile platforms.  Each mobile operations system uses different APIs and provides its own security features.  Do your research and adapt your code accordingly.

4.   Don’t rely on a platform alone to protect your users.  Platforms may offer features to make security easier, but it’s up to you to understand them, use them properly, and explain them to your users in everyday language.

5.   Generate credentials securely.  If you create credentials for your user — say, usernames or passwords — do it securely.  Of course, what’s appropriate for your app will depend on the kind of info that's involved.

6.   Use transit encryption for usernames, passwords, and other important data.  Let’s face it:  People will probably use your app on unsecure Wi-Fi access points like coffee shops or airports.  If your app transmits data best kept secure, use transit encryption.

7.   Use due diligence on libraries and other third-party code.  Third-party libraries can save time, but keep your ear to the ground.  Does the library or SDK have known security vulnerabilities?

8.   Consider protecting data you store on a user’s device.  If your app handles personal info, think about protecting or obscuring data — for example, by using encryption.

9.   Protect your servers, too.  If you maintain a server that communicates with your app, take appropriate measures to protect it. 

10.  Don’t store passwords in plaintext.  Consider using an iterated cryptographic hash function to hash passwords and then verify against those hash values.  That way, if your server suffers a data breach, passwords aren’t left totally exposed.

11.  You’re not done once you release your app.  Stay aware and communicate with your users.  New vulnerabilities arise daily and even the most reputable software libraries require security updates.  Stay in the loop and have a plan for shipping security updates if needed.  Watch your inbox in case users spot a problem first.

12.  If you’re dealing with financial data, health data, or kids’ data, make sure you understand applicable standards and regulations.  Are you up on COPPA, HIPAA, or GLB?  If you’re dealing with certain sensitive information, those abbreviations need to be in your vocabulary.

One more consideration:  Once you release an app, laws that apply to other marketers apply to you, too.  Visit the BCP Business Center for more compliance tips.  If you have clients in pps, send them the link to keep them clued in.

 

 

4 Comments

>> Leave a Comment | Comment Policy

This FTC post makes it seem like all an app developer's customers all will be in the USA. Hardly likely. There are privacy requirements all over the world, and particularly in the European countries, that are more stringent than those of the USA. This Economist article can serve as an introduction to the topic: App developers can be held to account for privacy violation in any market in which they operate.

Good information for mobile users.

Very Useful Information.

FEB 2013 Yes we are all sharing this information to clients, prospects and professors...Yes we also consulted with regards to the HIPPAA, GLB, COPPA regulations when dealing with sensitive information(healthcare/financial groups). Yes our team information technology legal eagels angels agree, continue to use encryption on usernames, passwords, etc.
MBCI Consulting NEWS U CAN USE online publication links most legal news.
Attorney/Mediators Walker-Reynolds, Lee, Ming, Maryellen Reynolds(consultant/mediator)WM Reynolds(consultant/mediator)along with business executives.

Leave A Comment

Don't use this blog to report fraud or deceptive practices. To file a complaint with the Federal Trade Commission, please use the FTC Complaint Assistant.

PRIVACY ACT STATEMENT: It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act and the Federal Information Security Management Act authorize this information collection for purposes of managing online comments. Comments and user names are part of our public records system, and user names are also part of our computer user records system. We may routinely use these records as described in our Privacy Act system notices. For more information on how we handle information that we collect, please read our privacy policy.