How Do I Build a Secure Mobile App?
When you're building a mobile app from the ground up, there are a number of security concerns you have to account for. If you're handling sensitive data, it can be helpful to think about the various states your data will experience:
- In use, on the device: When your data is stored in memory on the device and is being entered/reviewed by your user, it generally is not encrypted. When you save data to permanent storage, it transitions from in use to at rest.
- At rest, on the device: If you save any records to disk on the device, it is absolutely critical that you encrypt them. On iOS, you should definitely use the secure enclave to store your encryption keys. On other platforms, there are more fractured options. A common mistake is using a library that silently stores data on disk when the network is unavailable. If you do this without encrypting, you've just breached security and may find yourself out of compliance.
- In transit, from device to server: You should always use TLS, and insist on modern cipher suites. Grade your server's TLS settings with SSL Labs. Certificate pinning is crucial if the devices will be used on untrusted networks, and is generally a good practice even if this is not the case. Despite what countless irresponsible StackOverflow answers suggest, you must do hostname validation on your cert. Otherwise, you are an easy target for man-in-the-middle attacks.
- Server side: Once your data has made it safely to the server, there are a whole host of concerns around encryption, key management, key rotation, encrypted backup, audit logging, etc. These are all solvable problems, but easy to get wrong if you're not an expert. This is why we created TrueVault: to offload all of that headache from developers who want to focus on what makes their app awesome, not what makes their data compliant.
If this process seems daunting, don't give up! TrueVault is here to help you store sensitive data securely. We can solve the whole "Server side" item for you! If you need help making sure your app code is up to snuff, we can connect you with our partner networks of development shops, security experts, and auditors. Send us an email with some information on the product you're building and where you could use help.