App developers are more or less getting used to the idea that, if they're working on their own, they need to be in charge of R&D, design, marketing and sales. Now, unfortunately, IT security may need to be added to that list.
Among the takeaways from the recent hacking attacks on Facebook (NASDAQ:FB), Apple (NASDAQ:AAPL) and other firms has been the notion that, possibly for the first time, app developers are being targeted as a group by cybercriminals. Although there is still some dispute over what happened, several security experts have pointed to a website that focuses on iPhone app development as a place where the malware was placed. Anyone who visited it could have been infected. As opposed to going after specific users with phishing e-mail messages, this "watering hole" approach tries to identify popular destinations and lay an online trap of sorts.
Facebook and Apple are both interested in iPhone app development, so they are probably the highest-profile targets. Writing on F-Secure's corporate blog, however, Sean Sullivan, the company's security advisor, pointed out that the wider app developer community may be even less prepared to defend itself than the world's tech giants.
"Twitter and Facebook obviously have dedicated security teams on the lookout for trouble. (They're big targets.) Unfortunately, other smaller Silicon Valley startups (with big user bases) don't have the same resources," he wrote. "There are hundreds of thousands if not millions of mobile apps in the world. How many of the apps' developers do you think have visited a mobile developer website recently? With a Mac… and a very false sense of security?"
The target with such attacks is not necessarily money. Cybercriminals would be aware that one-man app developer shops are not going to be worth targeting for financial gain directly. It's all about data, which successful developers are collecting and in some cases storing in greater numbers than ever before. As they get more sophisticated on the analytics of engagement, purchase history and so on, they could become ever more attractive to would-be hackers. And it's unlikely that security is going to be a major line item on the average developer's budget (assuming they actually have a budget) for the foreseeable future.
F-Secure implies that the best course of action for developers is to turn to a security product vendor or service provider to give them the reassurance they need. In this case, however, the normal anti-virus products might not do much to defend against malware that comes into the organization via a browser. It's also questionable as to whether the available security solutions would scale down properly to most smaller developers, who are more likely to be using something (if they're using something at all) on the level of a home user.
Here are some things you can do instead:
- Start building a security intelligence pipeline. Sign up for newsletters that focus on this area so you can get the earliest possible warnings about attacks as they happen. Then, you can avoid potentially dangerous sites or e-mail virus campaigns. Skip at least one traditional programming-oriented conference for one that touches on mobile security and build it into your business plan.
- Prepare a crisis communications plan. When disaster strikes, many organizations spin into panic mode. You need to know in advance of a crisis not only when you will inform users, but how (e-mail, social channels, etc.) and exactly what information you should convey. There are probably enough small boutique PR firms around that could offer such consulting as a one-time service.
- Consider what you collect. This should already be a consideration given the level of activity around various state and federal privacy regulations being discussed around mobile app transparency, but security should drive even more attention in this area. Once you've been hacked, all your privacy shortcomings will quickly come to the forefront.
Consumers place a lot of trust in developers when they download an app. If Facebook and Apple can fall victim this easily, it should serve as a fair warning to mobile-first firms of any size.--Shane