ACCESS PERMISSIONS: MOBILE SECURITY IN APP DEVELOPMENT
Security in developing apps is one of the issues that most developers are concerned about. The topic is equally important for the owner of the mobile app and for its users.
When downloading an application, just think of how many permissions does the app require to access your phone’s content: photos, contacts, data, connections, etc.
The truth is that – unlike desktop applications- mobile apps enjoy very limited access to the content of your device. Apps will access everything that has been allowed to them by configuring their settings. However, not paying attention to the requirements of an application is a common mistake.
Access permissions are often completely justified in developing apps for Android and iOS. However, sometimes they are not. This means that – on the one hand – the user should pay attention to these permissions and – on the other – the developer should be driven by ethics and only request access to what is necessary.
Access permissions will always depend on the application. For example, food apps and restaurants looking for the restaurant closest to your current location will require being able to access your device’s GPS. The application will not work without this access permission, or at least it will not do it properly. The following are some of the most common permissions:
- Phone calls
- Photos, videos, and audios
- ID and device data
- Text Messaging
Some applications may require additional access permissions. Let’s look at the exact implications of allowing access to certain parts of our Android device, that is, the risks associated with each type of access permission and its scope.
For example, giving an app access to text messages means that it allows you to send messages, as well as read them. This may translate into an increase in the telephone service account at the end of the month if that application starts sending messages without you noticing it. However, when used correctly, its purpose is to confirm IDs and thus enjoy safer applications.
Safe Application Development: Is Privacy in Danger?
There are other aspects to be considered in addition to your development process for an application to be considered secure, meaning it is not just your code that is taken into consideration. It also depends on the user, who accepts or rejects the privacy policies of each application.
As with social networks, the answer will always ultimately depend on us. If you do not want anyone to see something you’re posting on a social network, just restrict yourself from posting it or checking the privacy of your account. The options available may be a bit tighter when it comes to applications, but it all comes down to the same thing: you simply do not download an application whose access permissions you do not want to share. You can not allow certain permissions and deny others; The application will not work properly if you limit your access permissions and will end up not doing what is supposed to.
However, we may experience problems granting full access to an application. Our most sensitive information (photos, videos, passwords, chats, bank details, etc.) can be exposed if an application is allowed to send and publish content if it has access to our personal data and information.
How can I protect myself?
As already mentioned, the most radical solution is to not download the app if you do not want to grant these permissions to third parties. There are currently many applications on the market, so it is very likely that you will be able to find a similar application that requires fewer access permissions.
Another option is to limit access to applications that you already have installed in the settings panel. However, these permissions can not always be revoked as they affect the operation of the application.
It may well be the opposite for iOS. When an application requires an access permission that you have not granted, a popup appears reminding you that the application needs such permission or that permission has already been granted. It works great as a firewall method to protect your privacy, although it can be uncomfortable at times.
The purpose of this access to the permissions system is to deliver the application developer’s privacy control to the application users.
So what can an app developer do?
According to a study conducted by the University of Valladolid on application security and its privacy, “developers, in their eagerness to publish their applications before their rivals, neglect certain aspects that must be taken into account – especially privacy and security of the data processed by the application. ”
Health applications are a good example to see the importance of the consequences that such negligence can bring since they deal with the personal and confidential data of hundreds of patients. The University of Valladolid suggests a number of “best practices” for programmers. Borja Martínez, a researcher at the Telemedicine and eHealth Group at the University of Valladolid, established a guide that is specially designed for experts in health application programming – the following recommendations, which are equally valid for any type of app programming:
- Access control:user-centered, that is, there is always the possibility of allowing or denying access to user information.
- Authentication: Through a unique ID and password known only to the user.
- Security and non-disclosure: Making use of AES (Advanced Encryption Standard) with an encrypted password of – at least – 128 bits is highly recommended to ensure security.
- Integrity: An authentication code based on symmetric password encryption (such as AES) should be used.
- Data Transfer: Applications must use Transport Layer Security (TLS) with 128-bit encryption methods or virtual private networks.
- Data Retention: All data should only be stored for the period of time required to meet the stated purpose of its storage and not for longer.
- Communication with wearables: Encryption methods should be used when communicating with wearables for device authentication and password distribution purposes.
- Security Failure Alerts: In the event of a security breach, developers should notify competent authorities and users as soon as possible and should help the latter to minimize the damage caused by that same failure.