Simplifying app security: safeguarding apps against user error
To round-off 2019 on our blog, we’re also tying up this year’s series on “Simplifying app security”, this time focusing on safeguarding apps against user error. Here, our Senior Consultant John Barker talks us through the security challenges that can crop up once your app is out in the wild…
You’ve built your app and it’s time to launch, but have you thought about how your solution will actually be used, and what security implications that could have?
In the rest of this article, I’ll cover a few different options for safeguarding apps against user error – and a great way to start is with the example of an app designed for use by your employees…
The BYOD Policy
On the one hand, like many other organisations wanting to encourage digital adoption, you might opt for a Bring Your Own Device (BYOD) policy.
Your employees will be able to launch your enterprise app on the device they feel most comfortable using, most familiar with when it comes to functionality. Plus, it can be a great way of saving on hardware costs, as you don’t have to buy every member of your team a new mobile device.
But this approach comes with challenges.
For one, it makes things much harder for IT departments who need to regulate data access (coming back to the danger of At Rest storage). For another, you have no control over how that device is being used and how cautious that person is with their data.
To get around this, we recommend Mobile App Management (MAM), where a secure “sand box” is created for the app to run in. You don’t have control over anything else within that device – but your app is secure.
More control with MDM
On the other hand, you might want to have greater control over the devices themselves and opt to buy them.
Your IT departments can then restrict/grant access to each user depending on their role, but most importantly, you can use Mobile Device Management (MDM) tools to ensure your staff’s experience with the device is secure.
MDM software like Mobile Iron or Airwatch can be installed onto the devices that are enrolled. When we built the NHS DonorPath app for Specialist Nurses handling organ donation, we used Airwatch on a set of enrolled iPads – the software gives you power over a variety of functionality, including installing apps, deleting them, even locking the device remotely.
Aside from anything though, training in tech security is essential.
Ensure all existing employees understand the dangers of data breaches, and that they’re aware of your privacy and security policy.
Provide regular training on the latest regulations, and weave this into the induction of all new employees, regardless of whether they work under a BYOD or bought-device system.
Transparency when safeguarding apps against user error
Finally, while you can do everything in your power to protect your app, it could still be accessed by a clever hacker, and you need to have a procedure in place should that happen.
Have a dedicated section on your website (or intranet for enterprise apps) for security and privacy best practice, with information on what users can do if they feel their account has been compromised. Plus, if you do suffer any cyber-attacks, this can be your point of contact for users.
You’ve taken care up to this point to ensure encryption keys are in different locations, and data is stored in the safest place, but it’s important to alert the user directly too about any suspicious activity.
Tell your users that a security breach has occurred, what it means for them, and give them clear instructions if they’re required to do anything.
Then tell them exactly how you’re going to handle the situation – if you’re transparent about how you handle their data and show you’re on top of the problem, it will help to build a trusting and loyal user-base.