We recently started to map out a proposal for a new project. This particular project meant working around an existing relationship with a staff developer who maintains a version of the app for another platform. As we moved through the process of crafting a proposal to meet their needs, a number of questions came up, including the question about security.
I'd like to start off with a bit of detail about how mobile apps are structured. In most cases, you have the mobile app itself, which is created and distributed to your customers/users through the appropriate app store (Google Play for Android, AppStore for iOS). Most mobile apps need to communicate in some way with other devices. This requires an intermediary because, with some exceptions, you can't connect directly (peer-to-peer) between two mobile devices. To allow for this exchange of information, a Web-based app with a data interface is also created and hosted on a server somewhere that it can be accessed at any time from the app installed on any mobile device.
These intermediary Web-based apps work the same way a Web site works in your browser. A request is sent from your device and the information it needs is sent back in a response. Further, communication between your computer can be either unencrypted (when you see an address that doesn't have that padlock) or encrypted/secured (like when you are shopping and need to enter your credit card, you look for that padlock). Mobile apps communicate with these intermediaries in the same way, only it's more difficult to know when that communication is secure.
In general, any communications of the following from a mobile app to an intermediary Web service should always be secured:
- Logging in to the mobile app (these are typically sending a request which contains your username and password to the Web server)
- Transmission of personal health information
- Transmission of online purchase/billing information
The first item is simply best practice and should be followed whether sent from a mobile app or loggin in to a Web site through a traditional browser. The latter two are required for compliance with either HIPAA or PCI-DSS regulations. The trouble is that many of these regulations are ambiguous and asking different people will yield different answers. In the case of security, it's always best to err on the side of caution. It's much easier to secure a Web service or Web app now than it is to figure out how to pay for any damages, lost reputation, or fines for non-compliance after a data breach has occurred.
If you're not sure whether your Web or mobile app is communicating securely with your data services, please contact us and we'll help you with the evaluation.