App security is one of those things that tends to get overlooked. Sometimes the developers get away with it and sometimes, such as this year’s Conservative Party Conference, they don’t. A security and data breach at the core of an app that had been designed specifically for the conference itself overshadowed a large chunk of the conference, creating press coverage no party would find politically expedient.
What happened
Usually, it’s the event hire people, the security and the politicians who have to be on their game at a big political event. But in the 21st century, the software developers do too. The app created for Conservative Party Conference was designed to offer floor plans, schedules and provide a platform for feedback to everyone attending the event.
Unfortunately, during the conference, some users noticed that it seemed possible to view and edit the data of other users who had created profiles on the app. This meant that high profile politicians had their personal data breached and edited on the platform, as well as ordinary people in attendance. Essentially anyone with an email address could sign up and access the data.
Developers of the app Crowd Comms were quick to admit the error, but it’s bewildering that a professional development firm could make such glaring errors. The party may have breached GDPR laws, and the Information Commissioner’s Office is already set to investigate the matter.
Is app security too often an afterthought?
Mark Noctor, VP EMEA at Arxan Technologies, believes that regulations should be in place to make app security a requirement rather than something that can just be tacked on at the end. It does increasingly seem like app developers are leaving these things until the end and essentially turning them into afterthoughts.
Important aspects of app security
Secured code from the ground up
For security to work the way we all want it to, it has to be built into the code of the app from day one. It can’t be an afterthought because then it probably won’t offer the comprehensive security that we all want and expect from the apps we use.
Identification, authentication and authorisation
These three things need to be at the core of any approach to app security, and they clearly weren’t for the app designed for the Conservative Party Conference. When your app can offer identification, authentication and authorisation, problems will be less likely to occur.
Mobile encryption policies
Customer data should be a key priority for anyone developing an app. The best way to ensure customer data will be safe no matter what is to use mobile encryption policies, making the leaking of sensitive data near to impossible.
Testing
Finally, the testing process needs to be as robust as it possibly can be. When you test at an properly, you will find the flaws in it before it reaches the end user. That way, they can be protected from those early flaws and glitches that might be present.
This particular instance of lacking app security is just one of many, and the people making these mistakes aren’t amateurs. So it’s time people in the industry starting integrating security features from the start of development and not as an additional afterthought at the end.
By Andrej Kovacevic
Updated on 16th April 2019