Congratulations, you just completed final coding for a new stock tracking app and you’re ready to release it into the market. Your users will be able to specify which stocks and how many shares they own and set alerts when certain price targets are reached. For real-time stock prices, your application connects to a third-party service that updates the app’s UI with the user’s total investment.
Up until now, you probably haven’t put too much thought into encryption. Your app is pretty simple and doesn’t require the user to set up an account, so no personal information is being sent anywhere. Plus, you’re using local storage to record stock names, number of shares, and price targets.
Yet, if the phone was hacked, your app would hand the hacker the information they need to piece together a larger attack strategy. For example, if your app reveals that the user is monitoring 1,000 shares of Tesla stock, the hacker may conclude that the user probably owns that many shares, and the hacker could launch a secondary attack. Even the name of the investment provides useful information. Hackers have been known to infiltrate quietly and stay inside a system for weeks or months as they gather seemingly innocuous information. A recent example was the massive attack carried out through malicious code inserted into the SolarWinds software. It is believed hackers spent months infiltrating networks before they were detected.
So, you may think your app isn’t storing anything important and therefore skip encryption, but any data a user enters into an app can be used as a puzzle piece to aid in larger infiltrations. This is exactly what hackers hope for.
A shared responsibility
So, whose responsibility is it to secure customer data? The truth is it’s a shared responsibility. Everyone involved with the application must take the necessary steps to protect the data you have control over.
Think of a conveyor belt moving data from station to station. If you encrypt the data at your station and it moves on to the next station only to be decrypted and left out in the open, that’s where the hacker will go.
Consider the basic stock tracking application. You make assumptions that the app delivery from the Apple app store or Google Play is secure and that the app is not altered along the way. You also make assumptions that the person using your app is properly authenticated and logged into the phone. Finally, you make assumptions that the external services, such as the stock price service, is secure and not exposing your users’ information. That’s a lot of assumptions and you’re heavily relying on other parties to keep your users’ data from leaking out. As a developer, you need to take a more proactive approach to data security.
Become a security champion
Even if you believe your application isn’t dealing with sensitive data, a more critical look could unveil potential security problems. As a start, you may want to treat any data within your application as sensitive data. You must take full responsibility for encrypting app data because your users are expecting you to protect their data.
Let’s say you want to increase the security of your stock tracker app and make it more difficult for a casual hacker to see user-entered data such as stock names, number of shares, etc. You could move the persistent data storage from local storage to the device’s encrypted key chain. Alternatively, you could use an encrypted cloud service to store that data remotely. Both options are a good start but have pros and cons. If a hacker gets access to a single password, the user’s encrypted data is no longer safe.
Adopting a secure-by-design approach
Taking responsibility for protecting user data should be central to your development process by taking a “secure-by-design” approach, meaning security is designed into the application from the beginning. This does not mean you need to take a course on advanced cryptography or figure out how to write your own encryption routines. In fact, you shouldn’t roll your own encryption algorithms or try to obfuscate data you want to protect. Assume attackers have access to your source code. Do not hope to rely on some proprietary algorithm to keep your data safe.
Most platforms you are developing for have well-tested encryption libraries available. For Android, you’ll find cryptographic facilities and a keystore system. Similarly, for iOS, you’ll find crypto Swift libraries and a keychain mechanism available. Certainly, with most existing methods, it can take some effort to learn how to use these libraries and you may end up with many more lines of code to support them.
The Ubiq API-based Platform, however, is designed to help developers avoid the complexity and mistakes related to data encryption when building applications. Ubiq constantly monitors the latest research related to cryptographic algorithms, including encryption and hashing, as well as any newly discovered vulnerabilities, and it incorporates the newest information into the platform, ensuring your data remains as secure as possible.
To learn more about how the Ubiq platform helps developers build more secure applications, watch our short demo video.