More and more people are now getting on the internet using their mobile devices (tablets, mobile phones and other smart gadgets) instead of the traditional laptops and desktops. You can verify this from your web server logs and it will be readily apparent, by looking at the “user agents” and “client operating systems” that most internet traffic is originating from mobile devices.
Now, getting your website to work smoothly is just the first step in the evolutions towards getting your business mobile ready. It does not really give the users that “native” feel unless you provide them with mobile apps to access your services. A mobile app brings your business on the user’s personal device in a manner that goes way beyond the traditional mobile web browser-based interactions with your web server. The mobile app experience is more responsive, personal and allows you to communicate with the user even when they are not using the app actively (push notifications, for instance, help you communicate with your potential and current customers anytime).
Though all this mobile app revolution sounds really exciting, it opens up a whole new world of security issues. For instance, now the traditional use of SSL to show the user a secure padlock on the web browser to assure them of a safe browsing environment. However, there is no address bar on the mobile app to flag the user if the connection is secure or not. Let us take a deeper look into SSL and how it can be used to secure mobile apps.
The traditional use of SSL
SSL certificates have been around for a while and most users know it by the green secured padlock that shows up on their address bar when they visit a website using ”https://” as part of the website URL. This assures the users that they are in a safe environment and that any data being exchanged between their browser and the web server is encrypted from the peering eyes of a hacker, who may be listening to all the conversation happening between the web server and the user’s browser – this is called a MITM (Man in the middle) attack. Use of a valid SSL certificate ensures that the encrypted information can only be decrypted at the ends of the communication channel – the browser and the web server, and the data is in unreadable format during transmission.
Businesses have long been using SSL to provide a secure browsing environment to their users, so they can share their sensitive information with the business over the internet without worrying about getting their data stolen by cybercriminals in the process. Also, they are able to engage in critical business transactions like online payments. All of this helps your online business to not only increase sales but also rank higher on search engines (As sites which support HTTPS are given a boost by search engines).
Using SSL to secure internet traffic for Mobile Apps
Most mobile apps do not depend on the internet (for the most part) to get their user interface (compared to a browser-based HTML page that always needs to download the code from the web server before the page can be rendered on the user’s browser). However, except a few apps like calculators, simple accessories used for things like note-taking and low-end games, etc., majority of mobile apps have a dynamic component. They need to communicate with backend servers to fetch live information related to logins and authentications, querying databases, and fetching other kinds of interesting data.
The moment you think of communicating over the internet, MITM attacks is the first thing that comes to mind. Just like a web browser, mobile apps also have the need to ensure they are communicating with the server they think they are in conversation with and that the data being exchanged between the backend server and the mobile app is encrypted, so it cannot be stolen by hackers during transmission. SSL comes to the rescue here as well. To enable this, install an SSL certificate on your backend server and ensure the following on the mobile app:
- Certificate Validation: Make sure that your mobile app fully validates the SSL certificates presented to it by the backend server and checks that they are accompanied by signatures of a trusted CA (Certificate Authority). You do not need to re-invent the wheel for this. All native mobile app development platforms, such as iOS and Android, provide standard ways of doing so – just make sure that Certificate Validation is made a standard part of your mobile app development process.
- Hostname validation: Before your mobile app initiates any data exchange with the backend server, it must first ensure that the hostname (also called CN, or common name) on the SSL certificate matches with the host the app wishes to communicate with. Again, this can be accomplished using standard app development libraries provided by the native mobile app development platforms.
Using a code signing certificate
You customers must feel safe when downloading your mobile app and subsequent updates, or they may choose to go elsewhere. In the scary world of internet, it is easy for cyber hackers to pose as you and push malware to the user’s mobile devices and they may install the damaging software thinking it is coming from you. Not only may it harm the user’s mobile device, but it also damages the trust your customer’s place in you – they may blame you for infecting their mobile devices.
The solution to this problem is using a code signing certificate. A code signing certificate assures the customers that the code is actually authenticated and has not been corrupted during transmission or tampered since it was signed by you. Your customers can thus download the mobile app and any updates with confidence.
A code signing certificate uses the same SSL infrastructure as the one used by the HTTPS protocol. Here, the mechanics of encryption differ slightly but the end result is the same. The digital certificate essentially shrink-wraps your code so it cannot be maliciously altered during distribution and downloads.
Create a full-proof and secure mobile app development process, so no code is distributed without first being signed by your code signing certificate.
In summary, mobile apps open a new world of opportunities for your business. Take full advantage of the mobile platform by providing your users with interactive and functional native apps. Make sure you use SSL and code signing certificates to ensure your users’ safety and instill confidence in them. Providing your customers with a safe experience when using our mobile apps will go a long way in helping your business succeed.