Mobile Device Security: Data Protection on iOS & Android

2 months ago
Mobile Device Security: Data Protection on iOS & Android Image

It may not feel essential to the user experience, but security can make or break it. From cloud security and API security to data protection and encryption, security is a priority, and it helps us build better apps. Apps that protect our users’ data and earn their trust for good reason.

In this article, we’ll discuss how to protect user data on both iOS and Android platforms, from first launch to enterprise.

Mobile Devices, Data & Privacy

Mobile devices constantly collect and share data, making personal privacy an issue.

Mobile devices collect various types of user information, including personal details, app usage, and location data. This information can be shared with third parties for purposes such as ad targeting, analytics, and service improvements. However, the extent and nature of this data sharing are not always transparent to users.

While companies are required to disclose data collection practices and obtain user consent in some jurisdictions (e.g., under the GDPR in the EU), the implementation and enforcement of privacy laws vary across regions. Some large tech companies, including Google and Meta, have faced significant fines for privacy violations, indicating that regulations like GDPR can hold companies accountable.

Both Google and Meta have been fined for privacy violations, demonstrating that GDPR in Europe “has some teeth,” according to Brad Weber.

Concerns arise when third parties use collected data in unexpected ways, such as selling it to other companies or using it for purposes beyond what users initially consented to. The lack of consistent, strong privacy protections across all regions leaves many mobile device users vulnerable to potential misuse of their personal information.

To protect their privacy, users can take steps such as reviewing app permissions, using privacy-focused browsers and search engines, and supporting initiatives that push for stronger, more uniform privacy regulations globally.

As a product owner, prioritize data minimization to protect user privacy.

Mobile devices constantly collect and share data, which can be used to track users’ locations, activities, and personal information. Data protection, security, and privacy are crucial components of data well-being, and product owners have a responsibility to safeguard user data.

For an app to function properly, it may require access to sensitive information such as the user’s location or contacts list. However, it is essential to obtain explicit user consent before accessing or sharing any such data. Product owners should carefully evaluate the necessity of each piece of data collected and ensure that users are fully informed about how their data will be used.

As an iOS developer (or any other type), you should always ask yourself: “Is this necessary?” If not—and if alternative methods are available—you should use those instead.

Data is a precious resource—one of the most valuable assets to an organization that must be protected accordingly. With data sharing, less is more. Collecting only what you truly need will help protect your users’ privacy and security from potential hackers who might try stealing sensitive information from them through malware attacks on their mobile phone/tablet devices.

As an iOS developer or any other type of developer, always ask yourself: “Is this data absolutely necessary for the app’s core functionality?” If not, and if alternative methods are available, prioritize those options instead. Collecting only the minimum amount of data required not only helps protect users’ privacy but also reduces the potential impact of data breaches.

Data is one of the most valuable assets to an organization and must be protected accordingly. By adopting a data minimization approach and collecting only what is truly necessary, product owners can help safeguard users’ privacy and security from potential threats, such as hackers attempting to steal sensitive information through malware attacks on mobile devices.

Furthermore, being transparent about data collection practices and providing users with clear options to control their data can help build trust and foster a positive relationship between the app and its users. Regularly reviewing and updating data collection practices in line with evolving privacy regulations and best practices is also crucial for maintaining a strong commitment to user privacy.

Android & Apple: How They Handle Security Differently

Ensuring the safety of our personal data and privacy is of utmost importance, and that’s where mobile security comes into play. When it comes to this, two of the biggest players in the market are Apple’s iOS and Google’s Android. While iOS is renowned for its closed ecosystem and timely security updates, Android’s strength lies in its open nature. Let’s delve deeper into their respective security mechanisms and compare their attributes.

Which is more secure—iOS or Android?

In general, iOS is considered to be more secure than Android. This is due to several factors, including:

  • Apple’s Closed Ecosystem: Apple has much more control over the hardware and software that goes into its devices, which makes it more difficult for hackers to find and exploit vulnerabilities.
  • Apple’s Aggressive Security Patching: Apple quickly releases security patches for its devices, which helps keep users safe from known vulnerabilities.
  • Android’s Fragmentation: The Android ecosystem is very fragmented, with many different manufacturers and carriers offering their own operating system versions. This makes it more difficult for Google to release security patches for all Android devices and gives hackers more targets to exploit.

However, it is important to note that no operating system is 100% secure. There have been malware and hacking attacks on iOS and Android devices. Ultimately, the security of your device depends on both the operating system and the user’s behavior.

Android and iOS devices employ various security measures to keep data safe.

Both Android and iOS use strong encryption features to protect data. If a device is stolen, the data cannot be accessed without the encryption key. However, there are differences in encryption methods between the two platforms.

Android employs device-specific keys that are unique to each device. This means there is no universal key for all Android devices. Google services like Gmail or Chrome may have separate keys associated with them. Both the device-specific key and the Google key are required to access data.

In contrast, iOS uses a combination of device-specific keys and iCloud keys. Even if someone has a device, they still need the iCloud password to access the data.

While both platforms have strong encryption features, encryption is not foolproof. It is essential to take additional security measures to keep data safe.

Security Features on Android Devices

By utilizing data encryption, data accessibility, and other security features, Android devices effectively safeguard data against unauthorized access:

  • Data Encryption: Android’s encryption features have become increasingly sophisticated and robust. All Android devices are encrypted by default, and Android 12 introduces improvements such as enhanced file-based encryption, stronger encryption for sensitive data, and new security features for app developers.
  • Data Accessibility: Android devices use a permission system to regulate app data access. Only apps with granted permissions can access specific data. App permissions can be managed in Settings > Apps & notifications > Advanced > App permissions.
  • Malware: Google Play Protect scans apps for malware and other security threats and monitors devices for suspicious activity. 
  • Two-Factor Authentication: Android two-factor authentication (2FA) adds an extra layer of security to Android devices and accounts by requiring a code from users’ phones and their passwords when logging in. Android users can enable Android 2FA in Settings > Security > 2-step verification.
  • Find My: Find My Device helps locate lost or stolen devices and allows data erasure, if necessary.
  • Dedicated Storage: Trusty is a dedicated secure subsystem on Android devices that securely stores sensitive data like fingerprint and face scan data. This data is encrypted and can only be accessed by authorized apps with the correct credentials.
  • Security Updates: Google regularly releases security updates for Android, addressing potential vulnerabilities that attackers may exploit. It is important to install these updates promptly.

Furthermore, Google’s latest Android operating system introduces new default app security features. Since Android 7.0 Nougat (released in 2016) automatically encrypts all Android devices. The data on the device is protected by a strong encryption key accessible only with the device passcode, PIN, or pattern.

Android 12, the latest version, introduces additional security features, including:

  • Enhanced Encryption: Android 12 encrypts files with unique keys, making it harder for attackers to access data even with compromised device encryption keys. Stronger encryption algorithms protect sensitive data like biometric authentication and app credentials.
  • New Security Features for App Developers: Android 12 provides new APIs for developers to implement secure encryption practices.

Security Features on iOS Devices

iOS devices use a variety of security features to keep your data safe, including:

  • Data Encryption: Using a strong encryption algorithm, iOS devices encrypt all user data by default. This means that if someone were to steal your device or gain unauthorized access to the data, they would not be able to read it without the encryption key. Your device passcode, PIN, or pattern protects the encryption key.
  • Data Accessibility: iOS devices use a permission system to control which apps can access data. This means that apps can only access data you have permitted. You can control app permissions using Settings > Privacy & Security > App Permissions.
  • Malware: Apple does not have a built-in malware scanner for iOS. Instead, Apple relies on several other security features to protect iOS devices, such as:
    • Sandbox: iOS uses a sandbox system to isolate apps from each other and the system. This prevents malicious apps from accessing other apps or system files.
    • Code Signing: All apps on the App Store are code-signed by Apple. This means that Apple has verified the developer’s identity, and the app has not been tampered with.
    • Automatic Security Updates: iOS devices automatically receive security updates from Apple. This helps to keep iOS devices up to date with the latest security patches.
  • Two-Factor Authentication: 2FA is a security feature that adds an extra layer of protection to your account by requiring you to enter a code from your phone and your password when logging in. You can enable 2FA for your Apple ID by going to Settings > Your Name > Password & Security.
  • Find My: Find My is a service that can help you to locate your lost or stolen device. It can also help you erase your device’s data if necessary.
  • Dedicated Storage: Secure Enclave is a dedicated chip that securely stores sensitive data like fingerprint and face scan data. This encrypted data can only be accessed with the iOS user’s passcode, PIN, or pattern.
  • Security Updates: Apple releases security updates for iOS regularly. These updates patch security vulnerabilities that attackers could exploit. It is important to install security updates as soon as they are available.

Furthermore, the latest iOS release, iOS 16, introduces several new security features and enhancements that help to protect users from a wide range of threats. Some of these features are, notably:

  • Lockdown Mode: Lockdown Mode is a new mode that provides an extreme level of security for users who face targeted threats to their digital security. When Lockdown Mode is enabled, certain features and functionality are limited to help protect users from targeted attacks. For example, most messaging attachments other than images are blocked, and incoming FaceTime calls from unknown callers are prevented.
  • Enhanced Privacy Controls: iOS 16 includes several new privacy controls, such as the ability to choose which apps are allowed to access your location and the ability to see which apps have accessed your clipboard in the past hour.

Regarding apps and mobile devices, it’s clear that security is on everyone’s mind. With great convenience comes great responsibility. It’s important to approach security thoughtfully to navigate the digital landscape.

Taking Security Further

As a developer, you can go beyond what the OS offers by investing in security from the ground up.

Taking the right precautions when developing mobile apps can help ensure user data is safe. The first step is to use a secure coding language and development environment. You can also implement specific security measures such as encryption, 2FA, and biometrics authentication.

Securing Your First App

The first step to ensuring your user data is safe is a secure coding language and development environment. There are many ways that hackers can get access to your app’s code, so it’s important that you use secure coding practices at every step of the process.

If you are launching an app for the first time, the most important security things for you to know and implement are:

  • Start with a security-first mindset. Keep security in mind throughout development, from design to implementation to testing.
  • Don’t underestimate the importance of security testing. Hire a security professional to test your app before you release it.
  • Be transparent with your users about how you are protecting their data. Publish a privacy policy and explain to your users how you are using their data.
  • Be responsive to security vulnerabilities. If a security vulnerability is discovered in your app, fix it immediately and release a patch.

By following these tips, you can help to ensure that your first app is secure and that your users have a positive experience.

For enterprise-level data protection, add an extra layer of control.

In addition to the above measures, large enterprise apps may also need to consider the following:

  • Implement two-factor authentication for all of your apps. 2FA adds an extra layer of security to your apps by requiring users to enter a code from their phone in addition to their password when logging in.
  • Use biometrics to authenticate users. Biometrics, such as fingerprints and face scans, are a secure way to authenticate users.
  • Use a threat modeling process to identify and mitigate security risks. Threat modeling is a process that helps you to identify and assess potential security threats to your app. Once you have identified the threats, you can implement mitigation strategies to reduce the risk.
  • Implement role-based access control. Role-based access control (RBAC) is a system that controls which users have access to which resources in your app. This helps to prevent unauthorized users from accessing sensitive data or performing unauthorized actions.
  • Implement a zero-trust security model. A zero-trust security model assumes no user or device can be trusted by default. This approach can help protect your app from unauthorized access, even if an attacker can compromise a user’s account or device.

In addition to the above measures, large enterprise apps may need to comply with various regulations, such as HIPAA, PCI DSS, and GDPR. These regulations often have specific security requirements that must be met.

It is important to educate your employees about security best practices. Security awareness and training will help reduce the risk of human error, a major cause of security breaches.

Treat security as a competitive advantage.

Mobile app security has become a top priority for businesses of all sizes. With the increasing number of data breaches and cyberattacks targeting mobile apps, users are more discerning than ever about the apps they download and use. Businesses that take mobile app security seriously can gain a significant competitive advantage.

Many users need to be made aware of the security features available in mobile apps. Businesses can gain a competitive advantage by highlighting their app’s security features in marketing materials and app store listings.

You can also innovate using security to your advantage. Taking mobile app security seriously can increase customer trust, loyalty, and market share.

Focus on Security: Case Study

For example, security is paramount in the rapidly evolving real estate industry. Buyers, sellers, and agents must be confident that their personal and financial information is safe and secure. inHere understands this and has made mobile app security a top priority.

Industry experts have recognized this focus on mobile app security. inHere was nominated as an honorable mention for the Fast Company Security category of the prestigious Innovation by Design Awards. inHere’s focus on mobile app security has helped the company to build a reputation as a trusted and innovative platform for real estate transactions. This reputation has given inHere a competitive advantage in the market.

Mobile Device Security Affects Everyone

If you take the right precautions when developing mobile apps, you can ensure user data is safe.

Personal privacy has become a pressing issue with the advent of mobile devices. With so much data being collected and shared by these devices, developers must be aware of the security and privacy concerns of creating iOS or Android apps. By following best practices when developing your app and keeping up with current trends in mobile technology, you can ensure that users will have peace of mind when using your product.

Get your blueprint for secure app development

Embark on your app development journey armed with our free, detailed security checklist. This invaluable resource ensures that alongside beauty and functionality, your app embodies robust security across crucial areas. Apply industry-standard encryption, secure payment gateways, manage and monitor logs, and ensure regulatory compliance.
Recent Posts

Digital Product Development

How GDPR Impacts App Development

With the implementation of the EU’s General Data Protection Regulation (GDPR) last month, many clients are wondering how GDPR impacts app development stateside. While there is, of course, no simple answer, this post will review some key implications of GDPR at a high level so you know where you might need to dig deeper. What is GDPR? One glance at your inbox, and it might seem like GDPR is simply a requirement that you review the privacy policy of every company with whom you have ever interacted. While it could feel like a bit of a nuisance, GDPR is actually positive for the user, as it is “consent driven legislation” that regulates how businesses, governments, and other institutions can use personal data. GDPR is designed to protect the individual rights of citizens in the European Union, providing a high level of transparency on how entities collect, store, and utilize personal information. It also puts control and ownership of that data back into the hands of the person. If you would like to learn more, you can get expert information here. There are four key individual rights that GDPR ensures: Right to easy access of personal data. Organizations must provide individuals with easy-to-access information on what data they have, and how that data is collected and processed. Right to data portability. Organizations must provide a simple and straightforward way to request an export of all personal data. Right to be informed of a data breach. Organizations are required to notify individuals of a hack as soon as possible. Right to be forgotten. Organizations must completely erase a user’s personal data upon request, provided there are no legitimate legal reasons for retaining it. Who does GDPR impact? Data protection standards have long been in place, but previously the scope of the regulations were mostly in the context of service provider location. The new rules are in the context of the user, regardless of the location of the service provider. So, if you expect your app to be utilized by people residing in the European Union, then GDPR compliance will be required. Obviously, those hardest hit will be those whose business models rely on collecting and leveraging large amounts of consumer data. However, even an enterprise oriented app that will be utilized by EU employees must comply to the regulations set forth by GDPR. How will GDPR impact app development? There are a few different places where GDPR could have a significant impact in your mobile app development: Permissions: “Privacy by design” is a key tenet of GDPR, so it’s critical to understand what constitutes personal data. Personal data is any collection of information that could be used to reasonably identify an individual. Beyond clear data points such as name, SSN, email, and address it begins to boil down to context. If you collect a person’s occupation, that likely wouldn’t qualify, as many people likely have the same occupation. However, once you start combining that data with, say, company and IP address, it might become much more clear who someone is. So what’s the safest bet? Collect as little personal information as possible in your application. That said, some amount of personal data will likely be collected by almost every mobile app that is created. As a result, one of the most obvious ways GDPR will affect app development is in the on-boarding process. You will need to be clear within the app interface as to how each piece of data requested will be utilized – and get permission for each usage situation. Even data that has not historically required consent (e.g. IP addresses) must also be considered. For example, if you collect a user’s email address for app login, but have intentions of using that email for other purposes, you need to provide specific disclosure and an opt-in consent mechanism for each unique instance. In other words, one long user license can no longer be leveraged to cover the occasional marketing email, location-driven notifications, and re-marketing. You also must ensure there is an easy mechanism for revoking consent for any of those options. Data Exchange and Management: Another area that GDPR impacts app development pertains to the regulations that support additional data exchange between the user and the service provider. As noted, the new rules call for the user to be able to ask if their data is being processed, get a complete copy of their personal data, and ask for complete erasure from the service provider’s system.Any of these items are simple enough for a one-off manual process on a small scale. But, for a service provider, the potential for constant or high-volume inquiry may be enough to invest in automated mechanisms. Another consideration is identity verification by the service provider; i.e. how can they confirm they are responding to a valid user request for data? For systems with login credentials, there is a built-in mechanism. But certain edge cases will likely muddy the waters and gaps in GDPR could potentially be exploited for fraud. A year ago, if a service provider of an online loan application web site were to be asked by a user out of the blue to “please give me all of my personal information in a portable format and then also erase me from your system” you would be very suspicious. With GDPR, this now becomes a completely legitimate request that you need to process in a relatively short timeframe. Data Security: The companies that will have success are those that already take security practices very seriously. Here are a few general guidelines that most applications should be following:– Use HTTPS everywhere and avoid using services that don’t use HTTPS– Use database-level encryption– Keep sensitive and personal information out of log files– Protect your system’s credentials and API keys, including keeping them out of committed code– Favor two-factor authentication over security questions That’s by no means an exhaustive list, but you’d be surprised how many applications out there don’t follow those basics. From there, you can begin evaluating your specific application. For instance, what types of user-generated content might you need to remove to comply with full erasure? What tests do you need to create to ensure full erasure? If you share user-identifiable data with 3rd-party systems, are you clearly communicating that to your users? Should GDPR be treated like a best practice? You’ll also need to decide if you want to support GDPR-like processes as a matter of general course, or only in cases where it’s absolutely required. While implementation could require more creative design and add some cost to development, GDPR does actually provide important protection for individual rights and may bring value for your business. It could be cheaper to take a minimal approach at first, but we advise everyone to perform some type of upfront cost analysis. You may find that it’s less expensive than you thought to lay some of the initial groundwork. The bottom line here is that user privacy, including the new GDPR changes, is not something that can be bolted on after that fact. It needs involvement from managers, designers, developers, product owners and so on. How do I learn more about GDPR? Whether you need to learn more for business purposes, or just desire help in getting to sleep at night, the best place to learn all the details about GDPR is the General Data Protection Regulation official web site. If you already were fairly versed in the prior data protection directive from 1995, you might find this site on GDPR Key Changes more useful. If you’ve got a particular app development project in mind, or are uncertain about the implications of GDPR on an app you’ve already built, we’re happy to help. Please contact us to set up a time to talk.

6 years ago

Technology

Protecting Personal Information: Tips for Consumers and Companies

One key aspect of privacy in the current age is controlling and protecting personal information that is gathered about you over the internet and across other digital mediums. Earlier this month we began our discussion of personal privacy in the digital age with an overview of the practice of data tracking. Data tracking occurs when organizations like online service providers or commerce sites capture everything from your internet search terms, to purchasing habits, to IP location. We reviewed how organizations are leveraging that data, and how to opt out of data tracking if desired. In this post, our focus is on protecting personal information that people are prompted to provide to execute transactions, browse certain sites, or share online. We all regularly face the requests, so it’s important to think consciously about where you share such data. Further, as business executives, many of you will sit on the other side of the table, making decisions about what kind of personal information to collect from consumers or clients, and how to be effective at doing so. This also requires intentionality, lest you expose someone to undue risk. Protecting Personal Information Information like social security numbers, credit card numbers, addresses, and phone numbers are requested by a variety of companies and institutions. Additionally, most people have online accounts that contain health and financial information. As a consumer who is likely to share or digitally store such personal information, it’s your responsibility to manage your cybersecurity. Here are a few key ways to protect yourself: Use Strong Passwords: It’s critical to use strong – and different – passwords across your devices, apps, and frequently visited web sites, and do not share your passwords with others. For more sensitive accounts, consider using “two factor” authentication – a system whereby something you know (e.g. the password) is coupled with something you possess (e.g. a phone to which a code is sent) – to increase security. Alternately, leveraging a social login system is efficient and convenient when available. Social logins, or single sign-on systems, enable people to use the password given to one provider as the login credentials for another (e.g. using your Facebook or Google login to access a third party site). Although this practice provides sites like Facebook with information about your actions, it’s generally considered a secure option, since your password isn’t passed along to every site. Monitor Geo-Location Data: Commonly referred to as “location services,” many apps use local cellular data, Wi-Fi, Bluetooth, GPS, and cell tower location data to track your whereabouts. (The combination of sources works better than GPS alone, and is kinder to battery life.) Sharing your location data enables you to get directions, find nearby restaurants, hail a taxi, map your run, and a myriad of other activities. While the benefit list is long, it’s important to realize you are sharing private information and caution is crucial. For example, a geo-tagged photo you post on social media can allow criminals to know you are in the Bahamas, not at home. When browsing on the internet on your computer, websites can see where you’re located. To prevent this, some people might like to use a proxy service from free-proxy-list.net to make sure their location is hidden whilst they’re browsing. This should increase security.     Limit Stored Credit Card Data: Online purchasing obviously requires a form of payment, and many people use credit or debit cards to make purchases. Most commerce sites/apps offer the ability to save the card information, and while this offers convenience and speed for stores you regularly visit, it also increases the risk of fraud. Limit the places where you store data or consider using a service like PayPal or Google Wallet. While not necessarily more secure than a commerce site, it means just one provider has your account data. It’s also important to take advantage of lock screens and other security features on your devices. Regularly update your operating systems, as these updates often include patches to address security issues that have been discovered. Further, don’t use potentially insecure public Wifi networks, like those found at airports or cafes, to execute more sensitive transactions like shopping or banking. MIT offers additional safe computing tips. Collecting and Protecting Others’ Personal Information Collecting data from consumers is necessary for many businesses to function, but it is a significant responsibility. With the massive data breaches that occur periodically, it’s not surprising that people worry if government agencies and major corporations can protect the data they collect. Nonetheless, a Columbia Business School study showed that consumers are actually willing to share their personal data, provided they gain added value. According to this study, two main factors determine willingness to share: (1) the trust the person has in the company and (2) the potential added value s/he gets from sharing the data. In other words, “even protective consumers do not mind sharing their personal information as long as they benefit from relevant offers and value.” According to the study, the type of information consumers were willing to share to gain benefits included: phone numbers, emails, purchase history, social network permissions, and household income. As shown in the graph below, the added value they desired from companies for this information could come in many different forms, from various kinds of financial benefits to recommendations.This is good news for business owners, and speaks to the value of cultivating trust with your consumer. Being transparent with your intentions, acting with integrity across all business interactions, and offering quality customer service are just a few of the ways to develop a strong brand reputation. If you are a business that handles sensitive information like Social Security numbers, it’s important that you are aware of where the nearest Social Security office in Wyoming, or whichever state you’re in, is to you should this sensitive information ever become compromised. If you collect data via your app or web site, we encourage you to collect (and encrypt) only the data you need, and to disclose your data usage practices in your privacy policy. Allowing customers to choose what they want to disclose, rather than requiring it from them, is also advisable. If you decide to leverage or integrate with other services like those mentioned above, understand how that impacts your user’s privacy. For instance, if your app leverages Facebook login, are you exposing additional user data to Facebook that it wouldn’t have otherwise? Or are you retrieving data from Facebook that users of your app might not expect? Privacy is a complex topic, and we invite you to contact us if you’d like to process further how to handle privacy in your app.

7 years ago

Blog Categories
App Design
App Marketing
Business & Strategy
Client Projects
Culture & Innovation
Digital Product Development
Digital Products
Events
InspiringApps News
Mobile Industry
Technology
Webinars