Security in mobile development is one of the issues of concern to all players in the market: project developers, developers and finally users. How not to worry if the first launch of an application, it asks us several permissions which we sometimes do not even know the consequences.
The request for permissions is often fully justified to allow the application to work properly, but unfortunately this is not always the case. This is why the user must pay attention to the permissions he gives, but it is also essential that the developer has an ethical approach to his job and only asks what is strictly necessary.
Mobile development security – permissions
Compared to computers, mobile apps have very limited access to the content of our smartphones. In addition, we can always change the settings according to our preferences. Here are the permissions most often requested by applications:
- Photos, media and files
- Device ID and information about it
- WiFi connection information
- Access to accounts
Of course, an application does not necessarily need all these permissions. Their extent always depends on its features. For example, an application that searches for the nearest restaurants will require access to the smartphone’s GPS.
What risk does a user take in neglecting security issues in mobile development? For example, if you give an application access to SMS from your Android, the application will not only read your messages but also send new ones, without your intervention. You may then see your bill explode.
If you give an application access to SMS from your Android, the application will not only read your messages but also send new ones, without your intervention. You may then see your bill explode.
Your privacy in danger?
The question now is how to properly protect your privacy as a user of apps. The principle is similar to the one already familiar to all regulars social networks: if you do not want someone to see your content, do not publish or change the privacy settings of your account. This is even stricter in the case of mobile applications. If you do not agree to give the permissions that an application asks for, do not use it. You can not limit certain permissions because the application may not work properly, but remember that by giving the application all permissions, your most sensitive data (photos, videos, passwords, bank details, etc.) could fall into the wrong hands.
How can I protect myself?
As we have already said, the most radical solution is not to download the application that requires questionable permissions. With a little luck, you will find a similar application on the store that will not require as many permissions.
Another option is to limit access to the data of the applications you have installed. You can do this in the settings of your smartphone, but take into account that it may affect the proper functioning of the application.
Android users can also use the App Ops tool that makes it easy to manage application permissions.
On iOS, when an application needs permission, a pop-up window reminds you that you should give it to yourself or have already done so. The pop-ups are certainly annoying, but thanks to them Apple allows the user to have more security control of his privacy, and this with each use of the application.
Mobile development respectful of security. What can the developer do?
According to a study conducted by the University of Valladolid on security and privacy in mobile applications, “developers, in their eagerness to publish applications, neglect some aspects that need to be taken into account, especially privacy and the security of the processed data. ”
Borja Martínez, telemedicine and e-health researcher at the University of Valladolid offers programmers some good practices of mobile development more secure:
- Access control. Always leave the user the option of allowing or disallowing access to his smartphone information.
- Identification. The user should have his unique ID and a password that only he knows.
- Security and confidentiality. The use of the Advanced Encryption Standard (AES) with an encryption key of at least 128 bits is strongly recommended for security.
- Integrity. At least one encrypted authentication code must be used with a symmetric key, such as AES.
- Data transfer. It is recommended to use Transport Layer Security (TLS) with 128-bit encryption or virtual private networks.
- Storage of data. The data must be kept for a clearly defined purpose and no longer than the necessary time.
- Connection with wearables. The application must use cryptography for authentication of the devices and for the distribution of the authentication key.
- Alerts in case of security breach. The developer should inform the relevant authorities and users as soon as possible and should help them to mitigate the damage caused by the fault.