Inverifi logo

ISO 27001 Controls: Developing Secure Apps

The importance of privacy and security

Developing secure apps feature image

When you’re developing an application, it is important to consider how it handles user data.

 

Our sister company, Invotra, is used by various UK government departments, including the Home Office, which uses Invotra to store highly sensitive data.

 

With that in mind, it is essential that Invotra does whatever it can to prevent a security breach.

 

Secure development and maintenance of applications is a requirement of ISO 27001:2013 annex A.14.

Transferring Data Securely

The internet has been used to transfer data between computers for a long time; this is its fundamental process, after all.

 

These days, many applications encourage users to store their data in “the cloud” – or, to put it more directly, on servers used by those applications.

 

Inverifi relies on cloud storage, almost exclusively, to store customer data. This is done to ensure that your data is always available, wherever it’s needed.

 

With this in mind, it is important that Inverifi (and other applications) can transfer data securely between your browser and our servers.

 

Most importantly, this means using encryption to ensure that any data transferred over the network is essentially useless to anyone who might intercept it.

 

This previous blog entry discusses cryptography in more detail, if you’re interested in the subject.

Access Controls

When people use cloud apps, typically, they have certain expectations of how these apps will handle data.

 

Consider Twitter, as an example. By default, your Twitter profile is public. This means anything you post is available to pretty much anyone with an internet connection.

 

However, even the most prominent public figures have certain expectations of the social media platform.

 

Direct messages sent on Twitter are generally private; most users expect these messages to only be accessed by their senders and recipients, most of the time.

 

Furthermore, it is possible to make your Twitter profile private, so only followers approved by you can view your tweets.

 

It is important that online services make it clear to users, what data they provide will be kept private, and what will be made publicly accessible.

 

It is equally important that apps continue to handle user data, inline with established expectations.

 

Failure to do so may be seen as a breach of privacy, likely resulting in damage to reputation, and possibly even legal action.

Consequences of Data Breaches

A few years back, it was found that Cambridge Analytica had illegally obtained personal information of up to 87 million Facebook users.

 

This data was collected using an app on Facebook’s platform, This Is Your Digital Life, which presented itself as a personality quiz.

 

This app was used by around 270,000 people. It requested each user permission to access all their friends’ personal information.

 

For some users, this app allegedly had permission to access the following information on their friends:

 

  • Profiles
  • Page likes
  • Birth dates
  • Posts
  • Private messages

 

Many users granted this permission, without taking the time to check what information the app was asking for.

 

The total number of users, whose profiles this app had access to, amounted to around 87 million.

 

You could point out that this app’s users should have been more mindful of what data they were agreeing to share, and you wouldn’t be wrong.

 

However, it wouldn’t have even occurred to many of the users, how much data they might be able to hand over, with the simple click of a button.

 

Users typically expect their private messages to remain private; not handed over to any app that might ask for them.

 

Furthermore, the 87 million people, whose data was breached, shouldn’t have been punished for the inattentiveness of their friends.

 

Facebook has since tightened restrictions on what data third party apps can access through its APIs, and made its privacy settings easier to understand.

 

Although Facebook survived the PR disaster, many people, to this day, are no longer willing to trust the platform with their data.

Final Thoughts

If you want your app to have a reputation as one that can be trusted with user data, it is essential that you design it to handle data sensibly.

 

When you’re sending data over the internet, use an up-to-date encryption algorithm to prevent interceptors from getting anything useful out of what they capture.

 

When you develop a feature that processes data, try to make it implicitly clear to the user, who will have access to this data.

 

We wish you the best of luck with your data processing endeavours, and hope you can maintain a good reputation.

More blogs you might like

Introducing Diagrams feature Image
Product Development
Sam Ryan

Introducing Diagrams

Introducing Diagrams A new way to visualise and connect your organisation’s process flows We are thrilled to announce the release of Diagrams, a brand new

Read More »