In a perfect world, mobile users would be security conscience and take all the proper steps to protect their data and secure their mobile devices.
In reality, your typical user is not that far off from being a nightmare user.
One of the biggest motivations for user security is convenience. Consider the following:
Users do what is most convenient
Only 64% of mobile users lock their mobile devices with a pin, passcode, or fingerprint. (McAfee)
Users use mobile devices for work and for play
40% of U.S. employees of large enterprises use their personal devices for work. (Gartner)
Users lose mobile devices and they are often not recovered
70M smartphones are lost each year, with only 7% recovered. (Kensington)
What is a nightmare user?
A nightmare user doesn’t have a pin or password, let alone encryption on their mobile device. They use Evernote in order to remember their social security number, and have downloaded dozens of apps, some on impulse or after seeing a sketchy ad.
Your nightmare user connects to unprotected wifi and has forgotten their phone at the bar and in a taxicab on an occasion. They do not know what operating system their device is running and have not updated their device’s software in years.
In short, they are the users that keep CSOs up in bed at night and scare the hell out of everybody.
Assumptions Mobile Developers Should Make
It is important to take an aggressive approach to securing your app, in order to limit possible vulnerabilities caused by ineffective user security policies. Always be prepared to follow Murphy’s law.
Assume there is no lock screen/device encryption for every device.
Basic device protections are not a given when they rely on user action.
Assume that others will have access to your app.
To follow up on #1, challenge your users periodically to confirm identity. This can be with a user created pin, security question, or full login.
Assume user devices are be filled with dozens of other apps.
You cannot determine the security of all other apps, but you should
limit 3rd party apps and services from accessing your app’s data.
Assume that some users will lose their mobile devices and these devices will be unrecoverable.
Loss and theft happen, but when it does, app data should never be compromised. Use encryption for storing sensitive data on mobile devices.
Protecting against the ‘nightmare user’
You can also check out our recent post for tips for securing Android and iOS apps.
Secure data with encryption
- Encrypt local data and preferences and do not store the encryption key locally.
- Always use SSL/TLS when connecting to web services.
- Use one way hashes for storing passwords (bcrypt, etc).
Confirm user identity as often as possible
- Set server-side session/token expiration.
- Ask your users to enter a password or pin after periods of inactivity.
- Ask your users for full login credentials if they have been inactive for a while.
Limit 3rd party app interaction with your app
- Make sure that your mobile apps are not sharing services or data with other apps
- Lock down your AndroidManifest file and your iOS settings.
Avoid loading app source code during runtime
- It is much safer to add or change app source code and push an update to the app stores, than to dynamically pull code from a different source.