It's all over the news lately: new, flashy apps make it out of the oven, get great press coverage—and are hacked days later. Even the satirically simple app Yo, which sends a "Yo" message to a user's friends, was a victim. In many cases, app developers could have easily avoided massive blows to their reputations by taking planned approaches to application security.

Following a preemptive strategy is the best way to arm your app against external threats that can compromise users' security. Take steps to ensure your app is secure before its release—this will help you build trust with your users and save you from unnecessary risks on your investment.

Audit Early

Code audits have become integral to the product development cycle. While it's one thing to test an app for potential bugs by having users give it a beta run, an in-depth code audit is really the only way to evaluate an application against the types of attacks that seasoned hackers will almost certainly attempt when it hits the mainstream.

An application security audit is the process in which a team of code auditors (usually former hackers themselves) comb through an application's codebase and perform a series of checks, such as:

  • Is the code doing something it shouldn't be doing?
  • Can the code be coaxed to do something fishy?
  • Is the app transmitting user-sensitive data in the clear?
  • Have programmers implemented security precautions appropriately?

Aside from these manual checks, audits can include automated testing for security issues. "White box" automated testing looks at the application from the inside checking to see if hacker inputs can make the application behave in odd ways. "Black box" automated testing looks for issues while the application is running. Applications can also be fuzzed, meaning it is subjected to massive loads of randomized inputs in order to see if it can handle them without crashing or compromising a user's device or information.

It's important to run a code audit on any application before its release, as security bugs can't be caught by beta testers (who are more likely to find general usability problems). An app's original programmers themselves can't be reasonably tasked with finding security bugs in their own code, either—these bugs almost always need another team's perspective in order to be discovered.

Audit Often

After an app has had its initial audit, results are communicated back to its developers, who will typically need to fix an issue or two before the app is published. It's perfectly normal for audits to find bugs—in fact, bug-free audits are almost never good signs. Once that app is published, an annual audit ensures that added features are also checked against bugs. Auditing early, and often, is not only an intelligent way to save yourself from risking your investment, it's a concrete testament to your devotion to user security, especially as privacy concerns become increasingly mainstream.

Consider Open-Sourcing Your Code

If your app offers users advanced security features such as data encryption or anonymity, it's definitely worth asking your team to open-source the application's code by posting it online for other programmers to evaluate. In the security community, open-sourcing security-critical code is a tradition that gets more eyes on the code to evaluate it and help decide whether it's trustworthy. It also gives you free audit hours and, more importantly, builds your credibility with other programmers in the tech community.

Photo Source: Flickr

Nadim Kobeissi is a programmer and cryptography researcher whose work focuses on making encryption more accessible to people around the world. Nadim created Cryptocat, one of the world's most popular encrypted chat solutions, and miniLock, a new standard for file encryption. Nadim is a member of the W3C’s web cryptography working group. Currently, he works at Shapeshape, a programming studio based in Montréal.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu