Building Seriously Secure Apps

First, how do apps get hacked?

There are many ways hackers can breach your security. Let's start by talking about the common methods.

Broken Access Systems

Think of logging in as getting a debit card. You submit your money to the bank and they give you a card number. Here, you submit your email and password to the app and it gives you a login cookie.

If the card number is easily guessable, hackers can just try random card numbers till they get a correct one. Just like that, hackers can keep trying login cookies and if they're easily guessable, or god forbid, numeric, hackers will eventually get into an account.

Solution: The simple way to solve this is to create login cookies that are extremely random. You should also check if the browser and location is similar to the person who created the login, just like banks also check the expiry and CVC code.

Unprotected Backing Services

The time of monolithic (Self-sufficient) apps is over. Every app has multiple services in the backend. Databases, caches, message queues, proxies, and so much more. If one of them gets breached, the hackers have pretty much found a gold mine of your data.

Solution: Never put your backing services on the actual internet, keep them in a closed private connection with your apps. Monitor their logs to see if they have been accessed by an unknown IP address, and periodically rotate their credentials.

Code That Breaks Your Code

Imagine this: Your app asks me for my name, and I write <script>alert("Hacked!")</script>. Ideally, it'd strip out any character that can't be in a name, but what if it doesn't?

An overwhelming amount of websites are still susceptible to these kinds of attacks, and it gets worse: what if this app just saves the name to the database using a simple SQL query? I can just write DROP TABLE users; and that would be the end of your app.

Solution: Always strip away any characters that can't be part of a field, like the HTML characters <>. Also check that the field is valid by comparing it to a standard. If you're using SQL, always use prepared statements.

The Guidelines

Now that we know the common ways apps get hacked, let's create some guidelines.

In the end, as long as hackers are determined to hack into your app, you can't stop them. But, what if you promoted them? There are good hackers too, security researchers. These guys hack for the fun of it, and report any vulnerability they find to you. The best way to encourage them to help you is to give them awards for hacking your apps.

Mind sharing?

View Other Articles