Compliance, Privacy and Security for iOS and Android Mobile Apps
There’s a high likelihood that your app and your development process needs to adhere to certain compliance and privacy guidelines.
PII - Personally Identifiable Information - should not be accessible to anyone but people who should access these details. No mobile engineer, customer support folks, or people working at the company should be able to access this information.
GDPR (General Data Protection Regulation) - an official EU regulation - has further expanded the scope of PII. PII data can only be stored and processed when it has a lawful purpose.
For mobile engineering, there are a couple of areas that will impact almost all organizations - except for ones that do not have any users in the EU.
Logging of data - both on the mobile and sending it over to the backend - is an area that you should think more carefully about:
- Logging PII data without end-to-end encryption in place might allow for data breaches.
- Aim to not log PII data - or anonymize this information in the logs, turning them into non-PII data.
- Put guidance for what, when, and how to log in place, including a section on PII data.
- Audit logs to ensure they are compliant.
- **Bug report screenshots== should not contain PII data. You might need to do additional steps to ensure this is the case, and information like credit card numbers and other PII information does not circulate in ticketing systems or at customer support agents.
- Review what data is being logged and how on a regular basis to ensure there’s no PII information being stored in a non-secure way.
Audit various parts of your app for GDPR and PII compliance.
- **Third-party SDKs==. These SDKs could often not be GDPR-compliant as their default configuration. You might need to work with their vendors - and in some cases, stop using some of them to stay compliant.
- Mobile app workflows might need to be updated to ensure the app stays compliant with GDPR. This can include additional steps to ask for permission for activities, and it could mean adding additional information screens.
- Mobile network traffic is worth monitoring with tools like mitmproxy, Charles, or similar ones to see what data the app is sending through the network. You might discover PII data being sent from your code or SDK code that you need to resolve.
Training a few engineers on the implications of privacy laws for coding and operations could be a smart move. This way you’d bring some of this knowledge in-house instead of relying on external consultants. If your organization is large enough to have in-house specialists, you might still want to consider nominating compliance/privacy/security “champions” to better scale this knowledge. This is what we did at Uber - and it helped flag potential issues earlier in the development process.
Having a compliant development process and data storage setup is out of the scope for this book. To ensure both your development processes, as well as your application and stored data are compliant, you’ll want to rely on security, legal, and compliance experts.
To give a sense of how much effort such a process would take, at Uber, we spent months mapping processes, making process and tool changes, and then auditing these as we got ready for GDPR to launch. The amount of work we had to do - and the scale of the changes we made - made this project one of the bigger projects at the company scale.
The earlier you do a thorough privacy and compliance review, the better. Once you have the right processes in place, staying compliant will be far less of an effort going forward.
Secure mobile development is a continuously evolving topic on its own. Though native iOS and Android mobile apps have fewer security challenges to worry about, it’s a good idea to map potential vulnerabilities and train engineers on secure mobile app development.
Running security checks at the CI/CD level is an area worth investing in. This is a place you can scan the code for hardcoded credentials or usage of dangerous functions. You can get this approach out of the box with tools like SonarCloud. Skyscanner took a similar approach with their Whispers static code analysis tool.
At Uber, we had a separate mobile security training curriculum that included OWASP mobile security risks and MASVS (Mobile Application Security Verification Standard).
You are reading an early draft from the book Building Mobile Apps at Scale. For the final, expanded and improved content, grab the book now - it's free to download as a PDF until 31 May.
Building Mobile Apps at Scale
"An essential read for anyone working with mobile apps. Not just for mobile engineers - but also on the backend or web teams. The book is full of insights coming from someone who has done engineering at scale."
- Ruj Sabya, formerly Sr Engineering Manager @ Flipkart