First, how do apps get hacked?
There are many ways hackers can breach your security. Let's start by talking about the common methods.
Broken Access Systems
Think of logging in as getting a debit card. You submit your money to the bank and they give you a card number. Here, you submit your email and password to the app and it gives you a login cookie.
If the card number is easily guessable, hackers can just try random card numbers till they get a correct one. Just like that, hackers can keep trying login cookies and if they're easily guessable, or god forbid, numeric, hackers will eventually get into an account.
Solution: The simple way to solve this is to create login cookies that are extremely random. You should also check if the browser and location is similar to the person who created the login, just like banks also check the expiry and CVC code.
Unprotected Backing Services
The time of monolithic (Self-sufficient) apps is over. Every app has multiple services in the backend. Databases, caches, message queues, proxies, and so much more. If one of them gets breached, the hackers have pretty much found a gold mine of your data.
Solution: Never put your backing services on the actual internet, keep them in a closed private connection with your apps. Monitor their logs to see if they have been accessed by an unknown IP address, and periodically rotate their credentials.
Code That Breaks Your Code
Imagine this: Your app asks me for my name, and I write <script>alert("Hacked!")</script>. Ideally, it'd strip out any character that can't be in a name, but what if it doesn't?
An overwhelming amount of websites are still susceptible to these kinds of attacks, and it gets worse: what if this app just saves the name to the database using a simple SQL query? I can just write DROP TABLE users; and that would be the end of your app.
Solution: Always strip away any characters that can't be part of a field, like the HTML characters <>. Also check that the field is valid by comparing it to a standard. If you're using SQL, always use prepared statements.
Now that we know the common ways apps get hacked, let's create some guidelines.
- Always hash passwords (I recommend Argon2), and encrypt any sensitive fields such as addresses (I recommend AES-256-GCM) so that even if a hacker gets access to a backing service like a database, they won't be able to find any sensitive information. You can also put sensitive information in a separate database.
- Always use pseudo-random text for login tokens, it's even better if you can use automatically expiring session cookies. I also recommend signing them using JWT to make sure they haven't been tampered with.
- Make sure no one can make cross site requests to do anything like delete their account, by setting the sameSite flag.
- Always filter out any dangerous characters from user input, and validate it against a standard wherever possible.
- Periodically change your backing services' credentials and view the access logs for unknown IP addresses. Or better yet, use a service that does this automatically.
- Keep your servers and services updated with the latest patches.
- Get a penetration test once you're big enough to make sure your app doesn't have any vulnerabilities.
In the end, as long as hackers are determined to hack into your app, you can't stop them. But, what if you promoted them? There are good hackers too, security researchers. These guys hack for the fun of it, and report any vulnerability they find to you. The best way to encourage them to help you is to give them awards for hacking your apps.