DEV Community: Petro Kovalchuk

8 Mobile App Security Best Practices Developers Should Follow

Petro Kovalchuk — Fri, 26 Mar 2021 12:29:43 +0000

Mobile apps have become an integral part of our lives. We use them for various purposes like confidential data transfer, financial transactions, etc. This ubiquity makes them a target for intruders who can use sensitive data for their own purposes.

Business mobile app security should be among the top priorities for any company. It is an important element of product development and support.

Further on, I will describe several mobile app security best practices to take into account during the development process. That is surely far from a complete and comprehensive list, and you can expand it in your comments.

1. Encrypt the data

Any data that a mobile app exchanges with the server, transfers to third-party services, or saves on the device must be encrypted.

Insecure data storage and transmission are among the most common security vulnerabilities exploited by hackers. If the data is encrypted, intruders will still be unable to use it for their own purposes even in case they steal it.

The less information remains on the device while users run an app, the better. Therefore, we recommend you store only the data an app cannot do without. Moreover, this data must be encrypted anyway.

2. Penetration testing

Penetration testing includes checking for weak passwords, unencrypted data, permissions for third-party services, and various types of intentional attacks on the system that can identify its weakest points and flaws in protection against third-party intrusions.

Finding backdoors in the system is a good practice, as they are a potential threat providing access to outsiders.

Source: SecureOps

3. Use Third-Party Libraries with Precaution

Third-party libraries used by an app get the same set of permissions and restrictions as an app itself. That is why such components can use the permissions granted to the entire app to execute malicious activities. This feature creates certain risks.

Third-party libraries can significantly speed up and simplify the operation process. However, you need to be careful and sift the third-party library code before using it in your app.

4. Use the Principle of Least Privilege

An app should not request accessing permissions from the device to functions unnecessary for its operation. The specific list is determined by app features.

The principle of least privilege dictates that code should only run with the permissions, which it absolutely needs, and nothing more.

The same applies to user rights restrictions. A hacked user account with a wide range of privileges can do a lot of damage. Therefore, you should not provide users with more privileges than it is really necessary (the principle of “need to know”).

5. Use Multi-Factor Authentication (2FA)

User registration and authentication system is a critical element of service security. Many apps use a 4 to 5-digit PIN for authorization, and users come up with that PIN during the registration procedure. Naturally, it is inadvisable to store this PIN as is either on the device or on the server.

In contrast to a regular password login procedure, multi-factor authentication with a code sent by email or SMS greatly increases the application security level.

6. Use Mobile App Fraud Prevention Systems

For instance, when used, an app can send data on users’ geolocations to the server (provided that they have given an app access to it). If any operations are carried out in atypical locations, it is possible to suspend the service until users confirm they actually perform such operations personally.

All important operations and changes to settings have to be confirmed using an SMS code. The number of tries to enter the code should also be limited.

7. Obfuscate to Prevent Reverse Engineering

Code obfuscation is an app security technique, the essence of which is to convert software code into a format difficult for humans to understand. This approach includes encrypting code (partially or completely), renaming classes and variables, and removing metadata able to reveal sensitive data about used libraries or APIs.

In general, “cleaning up” the code before submitting it to production is the best practice. Users do not need comments explaining how a particular function or piece of code works. However, such comments are a great help for intruders when they analyze the product.

8. Test Repeatedly

Mobile app security measures are not limited to the release. It is an ongoing process. New threats are constantly emerging, and new solutions are required to respond to them. Regular app updates and security testing for vulnerabilities help to fix flaws in the code and reduce the probability of data breaches.

The code review process and app security level independent analysis are equally important. To carry out these tasks, you can create your own security testing team or resort to services provided by a third-party company.

Takeaways

To ensure mobile app security, it is necessary to identify the most dangerous vulnerabilities, take them into account at the development and testing stages, and if identified, eliminate and document the issues found to avoid them in the future.

On the other hand, a 100% security level can never be guaranteed. The possibility of an attack will always exist, but the measures described in this article reduce the risks or make it harder for intruders to succeed in their malicious intentions.

Best protected applications are those developed using the security by design approach when security is taken into account on the initial stages of the development process and on.

Junior, Middle and Senior: How to Effectively Build a Team of Different Level Specialists

Petro Kovalchuk — Tue, 20 Nov 2018 15:37:24 +0000

The success of any project in many ways depends on the team. Even a small product is mostly designed by a team, even if that team consists of just two people. Building an effective team is very important and, at first glance, this looks like a much simpler task than it really is.

Each member of the team has his own opinion and vision about the project, its development, evolution and other processes. It is necessary to organize everything in such a way that all these factors will be in harmony with each other, and specialists’ joint efforts will be focused on achieving the customer’s specific business objectives. Therefore, this must be taken into account when starting a project.

Why is the right team configuration important?

The importance of the structuring the team correctly is obvious. First of all, it affects the final budget. The cost of each developer depends on his level of knowledge and experience.

It is important to save the optimal cost of the project, so you have to build the team and recruit people for different levels of tasks on the project taking, into account their duration and workload.

It is important to note that there is such a thing as a human factor. If a ten-person project will have ten architects or senior-level developers, the probability of conflict occurring increases because the developers will probably all want to express their own vision, which cannot always be called constructive.

The work effectiveness is one of the key priorities in software development; thus, in order to solve each type of task you need to pick the right person. Someone can handle routine tasks perfectly well and spend hours dealing with the algorithm, and someone else likes to do everything dynamically and see progress right away.

Understanding and considering these things, you will be able to recruit the right people to the right place. As a result, efficiency will be at the maximum level.

It is important to consider that not every developer is a good team player, so there should be a person who manages the team – a team lead. He not only has to control the project’s development and team’s progress, but also smooth out conflicts, raise the motivation of the developers, and take on the pressure from the customer.

Actually, the control of the project should be the responsibility of the team lead, the project manager and tech lead. These are the key people who should be at the heart of building the team. In fact, they are the skeleton staff who manage the project from start to finish.

As for juniors, although they often lack experience, these developers sometimes play an important role in projects with a large number of routine and simple tasks. Junior developers spend about the same amount of time solving issues as middle or senior ones. This raises the question: “Why does the customer have to pay more?”

Team formats: recommendations, tested in practice
Single developer. Let’s start with the smallest. In fact, the team is not only developers, but everyone involved in the project. This can include the customer, product owner, tester, intermediary and so on. This type of team is typical for small projects or MVP development for the startup.

2-10 people. This is the most common team configuration for small and medium-sized projects. To build such a team is relatively easy, since you can recruit the right developers who can work productively together, are close in mentality, mood, style of work and communication.

These teams are easy to manage, show high performance and have minimum conflicts. You can clearly see all the risks and disadvantages. Commonly, these teams include the team lead, tech lead, project manager, and some developers.

The best way to build a team is to start with the skeleton staff and then proceed depending on the tasks of the project. It makes no sense delegating simple tasks to the senior developer, so it is advisable to hire a middle developer, which will make it possible to save on the budget without losing quality.

It is important for the team lead and tech lead to get on with the developers and have a shared vision of the processes. Sometimes it’s worth recruiting a junior developer to do the routine work, such as duplicating functionality, working on templates, and helping senior developers.

Senior and Junior

The number of testers depends on the size of the project and the volume of progress that must be tested, so there is no universal formula here.

10-50 people. In such teams there should be well established processes, since managing a large number of people is quite difficult. For that, you need to have an experienced project manager and team lead, as well as senior developers with good technical backgrounds.

From my experience, when managing a team of 30 people it’s best to break it into junior, middle and senior clusters, for example: 4 juniors, 5 middles, 7 seniors, project manager, team lead, tech lead and testers. These proportions are the most effective for most projects.

There is another possible type of team configuration: freelancers and random developers. This can cause the most problems in projects, since the people have never worked together and each have their own style of work, different working hours, etc. And they are often not eager to compromise.

As a result, all the listed factors create a direct risk to the project, despite the high level of developers.

Resume

From my own experience working on various projects, I can say that the best choice is a team that has worked together for a while and works from one office. This is a guarantee of success and stability on a project.

Team formation is an important and difficult task. If you trust this to the professionals, the risks for the project will be minimal, and the probability of its successful completion becomes almost 100%.

The post appeared first on Software Development Company Lvivity.