.webp)
Software development is not only about creating a product that works according to the specified requirements and makes life easier for the user, but also about things that are “invisible” and whose impact will only be felt over time. In addition to architecture, code quality, testing and many other aspects, security is extremely important in development.
How to understand security is an important question that we should ask ourselves at the very beginning of the development of the application, otherwise there are many security problems such as leakage of personal data or passwords.
> The strict TISAX (Trusted Information Security Assessment Exchange) certification, which we have obtained and achieved the highest level of security, is evidenced by the rigorous certification of TISAX (Trusted Information Security Assessment Exchange).
Not reinventing the wheel and not falling asleep on your laurels
When securing mobile apps, sticking to the recommendations of Apple and Google and adding more layers to them that align with them is the absolute foundation.
An important resource for us is the MASVS (Mobile Application Security Verification Standard) from OWASP (Open Web Application Security Project). This standard specifies the rules that should be followed during development and divides them into several subgroups according to the sensitivity of the data and operations.
And since the technological world is developing very quickly, and operating systems come out with new versions every year, it is important not to fall asleep on your laurels. At Futured, we continuously monitor relevant developer resources, are part of a developer community that shares specific recommendations, and participate in conferences where security issues are discussed by the best in their field. The knowledge is then shared with each other within the development teams, so that we all have a maximum overview of the topic.
Security Levels: Which to Choose?
For each application, we adhere to a certain standard that eliminates fundamental security threats. But in principle, there is a simple rule: The more sensitive data an application contains, the more important security is.
Although each application is unique, this does not mean that we cannot divide them into basic categories that will serve as a guide on how to access each one. Unlike the MASVS standard, which defines two categories with one extension, in Futured we use three basic categories with one extension to better reflect the needs of us and our clients.
Steps in determining the level of security
- Identify the data and operations that the application works with
- Determination of an appropriate level3. Dialogue with the client, during which we will discuss why we recommend each step, how they affect the functionality of the application and what they mean for the development of the application
I — Standard Level
The security minimum that each “our” application must meet.Even a relatively simple application, which at first glance may not contain any sensitive data, needs security. Such safeguards include, for example, securely storing access tokens in encrypted storage, obfuscation of code, or using secure communication with the backend. At Futured, this is the standard we always meet.
II — Higher Level
For applications processing sensitive data or operations.For applications that work with, for example, financial, health, or personal data in general, we recommend using a higher level of security. These include, for example, the implementation of two-factor authentication of the user at login, biometric application security, certificate pinning, or security against excessive number of login attempts.
III — Top Level
If safety is a top priority.For applications that carry out financial operations, for example, or operate in an e-government environment, security becomes the main topic to think about. The discussion needs to be much more detailed, because security needs to be included in all aspects of development. In addition to things from the previous levels, we recommend, for example, working with threat models, having clearly defined cryptographic processes or a defined disclosure policy.
Additional protection against reverse engineering
So that the attackers do not see under the “hood”.
One of the possible threats is attacks targeting reverse engineering processes, where an attacker tries to peer into what is happening in an application or tries to modify it to impersonate the original. This can be problematic for applications that work with intellectual property or if such a modification could give an attacker some advantage, such as when cheating in games. We try to prevent such attacks by signing the application properly or by using obfuscation. In the case of an application where such risk is more significant, we still recommend implementing tools such as root/jailbreak detection, reverse engineering tool detection or more complex obfuscation processes.
Specific approach
Now you know how we think about security at Futured. Although we have divided it into several basic levels, it is always important to think carefully about the specifics of each application. This is the only way to choose a solution that ensures that the final product is not only successful in terms of product, but also ensures that users' data is completely safe.
“It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.” — Stephane Nappo
.webp)
%20(2).webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.avif)
