Mobile apps have become an essential part of business operations. This brings both new opportunities as businesses use mobile apps as promotional and sale channels and new threats as apps are targeted by hackers. When apps are hacked, it creates liabilities for businesses both to their reputation and to their finances. According to Cybersecurity Ventures, the global economy will lose up to $6 trillion by 2021 because of cybercrime. This cost includes damages due to loss of sensitive data, theft of intellectual property, embezzlement, and disruption of business operations.
Which apps are most likely to be targeted by hackers?
Attackers usually pick apps that handle sensitive data which can be used against either businesses or users (such as healthcare apps or enterprise apps) or that facilitate monetary transactions (such as peer-to-peer payment apps or mobile banking software). Banking software and healthcare software as well as ecommerce applications are commonly targeted by hackers: their security is disabled, key features of the apps are unlocked or modified, and sensitive data is stolen.
Chats also increase an app’s vulnerability to cyber threats. Chats can be found across a wide range of mobile apps – from ecommerce platforms to on-demand services and banking applications.
[Uber in-app messenger]
Understanding how you can make chats secure and reliable is essential for any business.
What do you need to know about messaging app security?
For the purposes of analyzing security risks, we’ll divide messaging apps into two groups: consumer messaging apps and enterprise messaging apps.
All security risks that should be considered can be roughly classified as:
related to particular app features (such as integration with a payment system);
related to improper platform use (such insecurities commonly occur when software development guidelines for a particular platform aren’t followed);
related to legal regulations for a particular industry (such as healthcare or banking).
The first two types of risks are relevant to both consumer and enterprise apps, whereas the third type only concerns enterprise-level mobile products.
What are the most common ways to ensure the security of messaging apps?
1. Secure data storage and data transfer
The less data is stored on the client’s side, the more secure your app is going to be.
If for some reason sensitive data (such as user's sensitive conversations) have to be stored on a device, there are a number of technical solutions that can provide highly secure storage.
At Yalantis, we normally use realm.io because it’s reliable and offers encryption and at the same time helps reduce development time. Realm Core uses OpenSSL, and when you supply a 64-bit encryption key, Realm data is transparently encrypted and decrypted with AES-256 as needed and verified with an SHA-2 HMAC hash. You can learn more about how this works on the official GitHub page.
For iOS development, we use one of two frameworks: CoreData and Realm iOS local databases. As Apple recommends, we use data protection for CoreData, Realm, and any other frameworks that we use for development.
For CoreData’s most popular local storage type – SQLite – we can use the SQLCipher library, which is an open source third-party library that provides 256-bit AES encryption. Note that when using AES encryption, your application will start to take up more space in memory and its performance may decrease slightly.
[A client-server database engine SQLite]
2. Secure all communication between the client and the server
Ensuring the security of communication between the client and the server is particularly important for apps that have to comply with industry standards and regulatory requirements. These requirements vary depending on the state and the industry. For example, mobile banking apps that are developed for the US market often fail to comply with guidelines from the Federal Financial Institutions Examination Council (FFIEC) and the Gramm–Leach–Bliley Act (GLBA).
Complying with medical industry standards in the US, or HIPAA requirements, also places certain limitations on your product that software development companies should keep in mind. For example, any software application that allows users to exchange personal data (defined as any data that can be used to identify an individual or that was created, used or disclosed in the course of providing a health care service such as diagnosis or treatment) has to be HIPAA compliant to be used in the US healthcare networks.
How can you ensure the security of communication between the client and the server?
Any technology that let applications exchange data with servers can be a vulnerability. For all mobile applications we develop, we make sure to properly set up TLS/SSL, use trusted CA certificates with properly configured chains, and attach or pin those certificates to SSL. An additional level of security can be achieved if sensitive data is encrypted before sending it through TLS.
3) Implementing end-to-end encryption and reinforcing encryption
Using encryption means that developers use special algorithms to scramble data so that even if a communication is intercepted – even if someone were to steal your message – its contents couldn’t actually be read.
All major messaging apps offer some form of encryption. At the same time, some messengers want to have access to the contents of messages so they can analyze that content and better target their users with ads. But leaving any back door whatsoever creates vulnerabilities that make your app an easier target.
What are the most secure messaging apps?
The most secure apps with chat functionality are those that use end-to-end encryption, a form of encryption that lets only two people (the sender and the recipient) read a message. Using end-to-end encryption means that even if the company that developed the messaging app were to archive and store all messages on their server, they couldn’t decrypt them and read them.
Open Whisper Systems Signal Protocol is currently the industry standard for encryption and is used in messengers such as Facebook Messenger and Telegram.
[WhatsApp end-to-end encryption]
At the same time, many of these apps, including Telegram, expect users to go into the settings to enable encrypted conversations, whereas by default chats within the app are not protected by end-to-end encryption.
To take your app’s security even further, you can reinforce existing encryption mechanisms. Reinforcing encryption requires applying cryptographic standards that are still likely to be relevant within the next five to ten years. Where can you find industry best practices to choose such standards? One way to approach this problem is by following a well-known set of cyber security guidelines.
We develop a lot of our projects at Yalantis according to National Institute of Standards and Technology (NIST) security guidelines. NIST provides a set of standards for recommended security controls for information systems to various US federal agencies.
Complying with these standards means that we adopt best practices across a range of industries and also often means that we develop products that comply with other regulations such as HIPAA (the Health Insurance Portability and Accountability Act), FISMA (the Federal Information Security Management Act), and SOX (the Sarbanes-Oxley Act, which states that corporate messages have to be stored and archived for at least five years).
Closely following NIST guidelines helps us find the most relevant solutions that have already proven efficient.
What are some typical features for secure mobile chat?
Session-level security (SLS), which is a unique key that’s generated for each session. Using SLS, all messages exchanged within the app in previous and future sessions can only be read by the sender and the recipient.
Each message has its own key.
All data stored on a device is encrypted by a separate key that’s derived from the PIN entered by the user.
Offline messaging support so that even if one participant in a chat is offline, the other can still send messages that will be stored and then sent to the recipient as soon as they’re back online.
Modern messengers face constantly evolving cybersecurity threats, but it’s possible to withstand them if you follow best development practices and thoroughly choose the scope of features for your app.