App Security and Data Privacy – A Guide for Businesses

App Security and Data Privacy – A Guide for Businesses

The recent controversy surrounding TikTok shows that digital security is becoming an increasingly prominent concern at every level of society. One of the most influential and widely downloaded apps on the planet, TikTok boasts more than 1.2 billion monthly active users and generated $4.6 billion of revenue in 2021 (BusinessofApps). 

It achieved this despite significant controversy and concerns that the app collects excessive amounts of personal data and is being used as a surveillance tool by the Chinese government (Guardian). As tensions between China and the US escalate, the Federal Communications Commission even called for Apple and Google to remove TikTok from their app stores (9to5Mac). Though we’re yet to see how the two tech giants respond, this case demonstrates how tightly interwoven individual, commercial and governmental digital security concerns have become.

With this in mind, we’ve created a quick guide to app security and data security for businesses interested in keeping their users safe and their reputation for trustworthiness intact.

Understanding your obligations

children using a tablet and a laptop - understanding your obligations

App developers must understand their legal and regulatory obligations when creating commercial apps. In the UK, two principal pieces of legislation dictate developers’ responsibilities. They are:

  1. UK-GDPR – Essentially the same framework as the GDPR legislation introduced by the EU. However, unlike the original EU-wide GDPR, the UK government has the exclusive right to update and alter the contents. The UK-GDPR defines personal data and establishes who data processors and data controllers are. It also lays out key security standards, such as data minimisation, and details how organisations should protect user data.
  2. Data Protection Act 2018 – The Data Protection Act 2018 sits alongside the UK-GDPR and was implemented to complement the original GDPR framework. When the EU introduced GDPR, there was some scope for regional variation. For instance, countries could define their own age ranges for children and adults. The Data Protection Act 2018 enshrined GDPR in UK law but also detailed the UK-specific rules.

Personal data is your primary concern

For app developers and owners, how you collect, process, store, retrieve and dispose of personal data is your biggest security concern. The vast majority of data protection legislation concerns itself with personal data. The Data Protection Act 2018 defines personal data as 

“data which relate to a living individual who can be identified – 

1. From those data or

2. from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”

Data Protection Act 2018

Vitally, personal data isn’t restricted to information that relates to the individual directly. Instead, it’s any data that you can use to identify an individual. For instance, you could class a device identification number (IMEI) as personal data. Data that only identifies a user when combined with other fragments of data is also considered personal data

Though they are important, the technical aspects of the legal frameworks surrounding data privacy are extremely complex and a deep dive requires far more space than we have here, so let’s turn to practical security measures in app development.

Understand your data infrastructure

Serious young black man working on laptop sitting near window in library - understand your data infrastructure

App developers and businesses need to understand how their apps and supporting systems collect and process data if they’re to comply with legislation and protect their users.

This means mapping data infrastructure and working out how that data is communicated, where it’s stored and who has access. Likewise, businesses must establish which individual is responsible for the data through the entire lifecycle. They are your data controller.

Knowing what data you need

One of the tenets of the UK-GDPR framework is data minimisation. Data minimisation is the idea that apps and businesses should only collect as much data as they need. They should not harvest personal data irrelevant to the service they offer or the core functionality of their app. Consequently, it’s good practice for businesses and app developers to only collect personal data they deem absolutely essential.

Control access to data

small caution cone on laptop keyboard - control access to data

According to Verizon’s 2022 Data Breach Investigations Report, the human element accounts for 82% of security breaches in 2021.

The human element includes lost and stolen passwords, successful phishing attempts and simple employee errors. One of the main ways of combating this is by controlling employee access to data and ensuring only those who require access have it. Tailored access permissions are extremely useful in this respect.

Secure communication and encryption

If data is being communicated or stored for use at a later time, encryption is a sensible security precaution. When data is in transit, SSL/TLS encryption ensures secure communication and is particularly important when communicating sensitive data, such as usernames, passwords and unique IDs. Storage encryption is also essential and should be tailored to match the degree of sensitivity. The more sensitive the data is, the more complex your security should be and the more you should invest in protecting it. 

Transparency is key

smartphone showing a 'welcome to chrome' screen, prompting agreement to chrome's terms of service and privacy notice - transparency is key

Developers and businesses must also consider how they inform users of their data collection processes and request their consent.

While users are accustomed to clicking through large, complex privacy policies on their desktops, the small screens on most mobile devices ensure these types of documents aren’t suited to apps. 

Instead, developers should think about intuitive ways to present the information that also reflect the limitations of mobile devices.

This may mean putting privacy information in the app store or using a layered approach that summarises the key points and allows the user to expand each if they want or require greater detail.

Additionally, make sure you’re fully transparent about what information you’re collecting and be specific on why you need it.

App security is a growing concern

As the current situation with TikTok illustrates, app security is at the forefront of tech experts, business owners and politicians’ minds. Which means it’s a big concern for developers, too. While there are plenty of small things you can do to improve app security and data protection, the biggest impact comes from a fundamental change in mentality and approach. 

By this, we mean apps need to be built securely from the ground up, with data protection practices engrained at every level. Digital security can’t be an afterthought or something that’s tagged on at the end. For a truly secure and safe app, security concerns and practices must permeate every aspect of design, implementation and long-term use.