So, You Wanna Build an App? App Security
/This post is part of the “So You Wanna Build an App” series. The other posts include: “What to Consider Before Developing an App,” “Know Your Audience,” and “Safety First.” This series is based on lessons we learned when developing the NNEDV Tech Safety App, and in reviewing dozens of apps created for victims of domestic violence, sexual assault, and stalking. Our reviews can be found in the App Safety Center.
In the “Safety First” post, we talked about how to minimize risks for users when you build the app. Another concern that app developers must be aware of is security—both security of the app itself and security of the data that the app collects from users.
Minimize User Data & Secure What You Store
User data can include anything from asking users to create an account with a username and password to asking users to upload and store evidence of abuse. The first step to data security is to only collect the information needed in order to provide the service. Don’t ask for data you don’t need. For example, some apps require users to create an account when there is no obvious need for an account. Other apps require access to information on the device, such as the user’s contact list and calendar, even when that information has no relevance to the functionality of the app.
Also remember that some types of data are more sensitive than others. Sensitive data includes personally identifying information like name, birthdate, location, health/mental health information, and documentation of abuse. The exposure of sensitive data can have dangerous consequences for the survivor if it’s discovered by the abuser. For this reason, securing sensitive data from unintentional disclosure is crucial.
Develop your app in a way that doesn’t require users to share personal information, or that offers users multiple ways they can opt into or out of sharing personal information. For example, some safety apps allow users to contact someone through the app. Develop the app in a way that lets the user manually type in the contact information, rather than requiring that the app be connected to their contact list. Also remember - if your app is designed so that it can inform 2 or 3 contacts when the survivor needs help, the app does not need access to the entire address book. This is also helpful, because some users may want to input a safety contact, such as their domestic violence advocate or private attorney, who isn’t in their contact list.
App Security
For apps that collect no or minimal data from their users, the security issues are more about the app itself. Some apps are built to function fully on the device, where all the content is accessible via the downloaded app. Other apps require users to retrieve information online. Depending on how the online content is hosted, if someone was covertly watching the internet traffic, they might be able to find out the names of the websites and other content that’s being accessed. Think about where your online content is hosted and how that information is retrieved. As an example, in order to protect survivors, all of the videos on our Tech Safety App are hosted on a secure server, and the files are named in a way that obscures what they are in case someone is covertly watching the internet traffic.
Have a Security Framework and Policy
Anytime you ask users to share personal information with you, you need to know (and let them know) how you’ll keep that data secure. The security framework should encompass every level of engagement – from the time they share their information (account creation, uploading/downloading content) to when you store that information (on secure and encrypted servers) to how (and how often) you destroy content. Your security policy should be clear, and posted where users can easily review. It should also be very clear about when and how you might share their information with third parties such as law enforcement or courts.
Educate Users on Security
If your app encourages people to use third-party cloud storage like Dropbox to store personal information gathered via your app, provide tips and education on good security practices. Where appropriate, teach users to use strong passwords and multi-factor authentication. The better they understand the risks, and how to minimize those risks, the better they can navigate them and develop stronger safety strategies.
Thanks for reading this blog series! If you’re still curious for more, you can find great information on our website:
· Technology Safety and Privacy: A Toolkit for Survivors
· Agency’s Use of Technology: Best Practices & Policies
Speaking of apps – check out NNEDV’s Tech Safety App! DC-based company 3Advance developed the CMS infrastructure and created the multi-platform mobile apps to bring to life the NNEDV Tech Safety App. If you’re an app developer or a victim service provider working with an app developer, be sure to check out our Considerations for App Developers resource!