Which mobile authentication method makes an app secure?

April 3, 2019
4 minutes read
Category: App Security
Author: Aleksandar Branković

If you want to create an app or already have one in the market, you need to consider how to secure your product, its data, and the user’s data as well. You can find a lot of Android & iOS apps that lack security and privacy measures. But both stores have been addressing these issues and removing applications that are not secure enough.

In order to create a secure app, developers need to implement effective measures, including secure authentication.

HTTPS will become the only option

HTTP, short for Hypertext Transfer Protocol, is the language that apps or browsers use for sending and receiving information. This protocol offers no protection or security whatsoever, which is why HTTPS was created as a secure and encrypted version of it.

If you pay attention, you will see that most websites, and not only Google, Facebook or Wikipedia, but also small personal websites & blogs, use HTTPS for their connection. They have all started switching to HTTPS because it improves their traffic and affects the Google Search ranking. Especially if the website collects any type of data via user input, like a contact form, a comment box or similar.

Because Google’s algorithm has been prioritizing HTTPS sites, any that still use the old protocol will need to move away from HTTP if they want to stay relevant. To make things even more strict, last year Chrome browser was updated with a built-in option to block the use of HTTP connections!

However, this has not been the case with many smartphone apps developed for both iOS and Android. Many of these apps still use HTTP, at least for some of the data traffic. And this is something that is going to change and needs to change, because HTTPS helps stop intruders (benign users, malicious attackers, and intrusive companies) from interfering and tampering with the communications between the user and the app.

Google ramped up its approach last year, with Android P launched in August 2018. Since late last year, all new Android apps must use HTTPS connection as their default setting. Google's goal is to migrate all network traffic away from cleartext (unencrypted HTTP) to TLS (Transport Layer Security). The widespread version in use is TLS 1.2 that was released in August 2008. However, TLS 1.3 that was also released in August last year, brought on many improvements and is the new standard that is currently being implemented.

By changing the defaults for Network Security Configuration, Google wants to block all cleartext traffic. On top of that, users will be able to allow or forbid HTTP connections, and apps that still want or need to use HTTP will have to ask Google for permission. And once they receive it (if they receive it), users will be able to see before installation if and why the app uses HTTP, and decide if they want to continue installing it.

This is similar to what Apple has done with its App Transport Security that forbids iOS applications to exchange data using HTTP by default.

From 2017, Apple started rejecting new applications and updates to old ones that make HTTP requests from the application to the server, and the App Transport Security method was put in place to secure transmission of data. However, Apple still has not completely implemented this practice. Apps can ask to use HTTP in certain cases, and there are those that don’t use HTTPS at all.

But things will only get more strict for applications. Users expect better protection and security, and Google & Apple will tighten their control.

Issues plaguing Apple’s App store

The App Store has had many security problems with its apps over the years, and the issue of developers manipulating it has been largely unaddressed. Even though there have been many scams and phishing attacks using many insecure apps, Apple has done little to address these issues.

Only after millions of user complaints for being scammed or having their accounts hijacked, during the last few years, Apple has started dealing with apps that don’t explain to users how their personal data is secured, used, or shared.

The App Store and Apple’s broader iTunes Store have become playgrounds for illicit transactions. Because of that, in 2018 they started pursuing apps that don’t communicate properly how the collected personal data is secured, used and shared. And the apps that managed to pass the check, will be held accountable by way of its own privacy policy and the statements it contains.

How HTTP vs HTTPS influences mobile authentication?

Any authentication request is an exchange of data between an app and a server. If this happens using insecure protocols - anyone might be able to find out users email address, username, password, PIN code or any other information sent by the app.

To improve user authentication and reduce login friction, many apps started using HTTP header enrichment method to verify users. This method adds data to the HTTP header during the authentication process. This can be specific data about the user and/or user’s device, SIM card, etc. which is included in the header as a plain text visible to the naked eye.

Users and app developers love it because it provides excellent user experience and works fast, but by not being encrypted, it becomes a data privacy issue and carries a huge security risk

Data added to the HTTP header can be collected and abused. Still, over the last two years, new authentication services that rely on the header enrichment method popped up. Luckily for users who prefer protecting their privacy, these methods will become useless once Apple and Google completely forbid HTTP traffic.

Is there a better authentication method?

Even though people believe SMS two-factor authentication is safe and gives them peace at night, it is not impenetrable, as witnessed by many SIM hijacking victims. Google and Apple are essentially making header enrichment obsolete as a security measure as well. App developers and service providers need to explore other options.

Moving away from SMS 2FA, there are methods that are secure but don’t provide a smooth user experience. On the other hand, biometrics has become very popular for its ease of use, but not everyone is willing to share their private information.

This is where we fit in perfectly. IPification was developed to solve the issues application developers have - to enable secure authentication which does not share users personal data and at the same time provide a seamless user experience.