TechAhead is into mobile app development since 2009. Today, I want to talk about, "how secure are the apps that are getting built every day?"
Let's look at few stats to understand the current situation better:
• 65% of respondents felt that ‘rush to release’ software results in more mobile app vulnerabilities. SOURCE
• $1,859,688 is the average amount spent by large organizations on mobile app security yearly. SOURCE
• 98% is the proportion of mobile apps that lack binary code protection. SOURCE
• 94.8% is the share of mobile applications that log data. SOURCE
How Techahead Helps to Build Secure Apps?
Since security network and server security has become a significant area of concern, I would like to highlight some of the basic security measures taken here at TechAhead. However, the list of security practices being followed is intensive in nature for any project and also depends on clients requirement:
• All the API Request and Response is in encrypted form.
• All encrypted Request is dedicated to a particular device, and this will not be usable by any other device as a security mechanism.
• Relevant Customer information is stored in encrypted form in Database with different Private and Public Keys.
• The AES 256 algorithm is used for Request and Response in the system for communication.
• Passwords are stored in a Hashed format with Salt Techniques using SHA algorithms.
• Transactional variables are stored in encrypted form for security reasons.
• Source Code Protection is performed on specific client requirements.
• PCI Compliance for specific project requirements.
• Any additional security requirements on clients request are analyzed and implemented.
A Meet with JPCERT and CERT-In
To understand the security methods used at TechAhead the team of JPCERT and CERT-In visited our office as they were keen to explore what mechanisms are followed in Application Domain Security.
JPCERT/CC is the first Computer Security Incident Response Team grown in Japan. JPCERT completely coordinates with security vendors, network service providers, government agencies, as well as the industry associations. It is a "CSIRT of CSIRTs" in the Japanese community. As a global member of the Forum of Incident Response and Security Teams (FIRST), JPCERT/CC also cooperates with the trusted CSIRTs worldwide. On the other hand, CERT-In is the national nodal agency for responding to computer security incidents as and when they occur.
Our CMO, Jitin Narang shared security practices followed at TechAhead for our global clientele who trust us for their application/system development, which includes startups to Fortune 500 companies. Adding to the session, our Security Lead Saurabh Pathak gave a brief presentation on how we secure our mobile apps using the standardized security approach with various vivid examples. We showcased how the security of any new system varies depending on specific client business requirements and operational architecture. An interesting discussion took place on how to secure mobile apps in detail. JPCERT first intended to know our ways of securing data and later conveyed their ways. We presented a complete session to the JPCERT team on how do we protect applications and systems using the proper security algorithms. We keep all the critical information in an encrypted form both on application front and database; the passwords are stored in hashed/salted formats and to save the debit card details, we perform PCI compliance. Though the source code is complicated to protect, our teams practice various methods to secure it. Moreover, the security practices mentioned above is the basic structure followed, and there are different methods for different business systems we develop depending on their requirements. JPCERT/CERTin Team was quite impressed with our security practices and agreed that our mechanisms are well versed to secure any system to an upmarket level.
How JPCERT Helps to Secure Data?
JPCERT has various auditors in their team who present the mandatory guidelines for computer security. Different programs have a different set of security guidelines which can be achieved by various IT companies. The auditors list out the vulnerabilities using few of their tools/sensors which detect low security and flag the team. According to them “There is no fixed cure for safety as it is a continuous development process.” Their security guidelines might be different from other guidelines due to the different nature of the app. They assure network security via auditors, and in very critical situations, they send their teams as well.
How are you securing the data of the programs that you have created?
TechAhead and JPCERT will soon come together to train our teams to improve security further with a collaborative Security Operations Team. You can consult TechAhead for any Application Security Information, secure App Development or App Maintenance and Support. You can simply get in touch at firstname.lastname@example.org.