7 Tips for Developing a Secure Mobile App within an Enterprise

By Bobby Gill on July 9, 2019

Most enterprises use mobile apps to supplement their business efforts, whether it’s for communication or a tool to link staff with resources. While some out-of-the-box apps are perfect for organizations, custom enterprise mobile app development can be incredibly useful for accomplishing tasks that aren’t possible with stock applications available on verified marketplaces like Google Play or the iOS App Store.

The problem is, when custom app development is a new notion for your business, it will feel overwhelming. Aside from getting the desired functionality and UX, there will inevitably be major reservations in your IT department regarding security.

The concerns are real, which has caused some businesses to either drag their feet or reject the idea altogether. However, with good planning, a mobile app can improve user productivity or increase external engagement provided development is grounded with sound IT security practices.

Questions to ask before getting started with a mobile app

A business app is daunting for many organizations because there are so many “unknown, unknowns.” It’s this fear of a foreign concept that often drives a kind of confirmation bias where decision-makers research issues with development of enterprise mobile apps, read horror stories, then think, “This isn’t for us.”

While it can feel overwhelming or impossible, there are a few questions IT decision-makers in an enterprise – or really, any company with several moving parts – can ask during the process of deciding to undertake an app development project.

How sensitive is your data? Even if you’re not bound by data compliance regulations, such as HIPAA or GDRP (among many others), understanding what rules dictate storage and usage of data is perhaps the biggest component of security.

What is the intention of your app? There are apps that act as simple clients for web content. Others can be used to access analytics to aid sales or production teams with real-time information. Truly, there is a myriad of ways an app can be used – a major element in getting started is defining what you want your app to do.

Who will be using the app? Internal and external users will have different requirements, depending on the functionality of an app. In either case, it’s necessary to understand how the app will be used by either group as there will be different demands, both from a functionality and security standpoint for each scenario.

How will you secure other business systems? It’s important to consider the systems and databases the app will be accessing, especially when outside the firewall and if the general public will be able to connect. You’ll need to allocate resources and time for teams to patch and lockdown these systems to prevent malicious users from causing damage.

7 tips for building a secure app within an enterprise

Whether you’re going to recruit or contract an app developer to create your application, the following are major factors to address with respect to app security and enterprise mobile app development. Here, we’re going to reference mobile security leaders, OWASP, for mobile app best practices by explaining the biggest threats to mobile security and baseline methods for mitigating risks.

Avoid insecure platform usage for internal users. A lot of this depends on the backend CMS or server that’s storing content in addition to an API that’s pulling data from any given system. Anything with high-level permissions should be using TouchID or Keychain to store credentials and access tokens – never store unencrypted user info on local storage. Otherwise, users or systems should be authenticated through another service like AD, 2FA, an MDM solution, etc.

Securing data. Don’t risk exposing data to anything that doesn’t require usage. In fact, you’re best off eliminating access to sensitive information through apps as phishing schemes and other exploits can expose data to unprivileged users, such as causing breaches that violate regulatory data compliance, direct financial loss, or the surfacing of any other number of problems. Ideally, data stored on cloud storage or local devices should be secured while not in transit as well.

Proper communication. Without appropriate handshakes, confirming SSL certs or verifying other encrypted delivery methods, a wide range of data can be exposed to malicious lurkers. The transport layer on data exchange needs to be secure, even if you’re simply delivering web content through an app.

Use good authentication and authorization for consumer-facing systems. For outside users that will be connecting to backend systems, it’s best to employ tech specifically for B2C access. For example, Azure Mobile Apps works with Azure Active Directory B2C for this exact purpose. Authentication can be tied to other accounts (e.g. Facebook, Google, LinkedIn, etc.) for identity management which also offers the consumer an added layer of protection.

Enforce secure development practices. Prior to deploying an app, client code should be reviewed as well as backend systems – but it doesn’t stop there! The continual review of code must be a routine practice to ensure mobile clients and servers are utilizing the most recent platform patches. The IT staff who manages these systems need to also take care to ensure they’re following best practices as well, such as using 2FA and IP-whitelisting through a VPN to prevent man-in-the-middle attacks (among others.) For your non-open-source projects, don’t store sensitive source code that could be used to reverse engineer your app on a public git repository.

Tampering and reverse engineering. Every app can be reverse engineered which is why it’s up to developers to reduce or eliminate clues that could unlock access to protected data. While commenting is helpful for code sets, over commenting can sometimes reveal too much. Aside from avoiding using public git reps, functions that relate to accessing secure portions of a business network should be eliminated or at least obscured. For example, source code shouldn’t contain any API keys, user credentials, or specific configuration information that could be used to tamper with your app or repurpose proprietary source code.

Eliminate backdoors. For the sake of convenience and testing, developers may leave backdoors in code that are overlooked and subsequently, not closed prior to deployment. Even though some coders may do this for the sake of convenience, it’s imperative that these loopholes are removed before an app is made available to end-users.

Enterprise experience you can trust

It’s a nerve-wracking situation for many businesses when considering the development, deployment, and usage of a mobile app. A good strategy is a must for a secure application which can enhance productivity or increase engagement with external users. By discussing and analyzing key security pitfalls, organizations will be well equipped to ensure their app delivers a secure experience.

Reach out to us at Blue Label Labs to learn how we can help you design and create a dynamic mobile application for your organization and deploy it securely within your IT systems and infrastructure.