With mobile phones accounting for over 60% of traffic in 2022, launching a mobile app in South America will be an astute decision. The future lies with smartphones and tablets, making it essential to move beyond traditional desktop solutions.
But, did you know-
In the first half of 2022, 10,666 ransomware signatures were found in Latin America, as against 5,400 in the last half of 2021.
With this increasing number of ransomware attacks all over the South American continent, governments have imposed strict policies that data controllers and processors must comply with to protect personal information. Hence, it is prudent that you take note of these regulations.
This blog talks about the two most important questions - what and how:
We have listed some of the critical aspects of South America's prevalent data protection regulations you must take care of while building and launching your application.
We have also curated a mobile app security checklist to help you launch a secure mobile application in South America.
But first, let's see why it is necessary to create a secure application.
Consequences if Your Mobile App is Not Secure
Sensitive Data Exposure
Data theft happens when a hacker gains unauthorized access to your application and steals the stored data. Hackers have also been observed selling confidential business information, trade secrets, and customer information, including banking information, residential address, etc., on the dark web.
Degradation of Brand Goodwill
There have been cases in the past, like the leak of 4.5 million medical records in the US. When the news of a hack comes out, the victim companies suffer immensely on the front of reputation, trust, goodwill, and integrity.
Along with the loss of reputation, companies also suffer customer backlash. While existing customers look for different alternatives, onboarding new customers is difficult.
If your app is not secured, hackers can clone it by reverse engineering and make some or all of the premium features available for free; ultimately making your revenue go downhill.
Secondly, these hackers can get control of your client's financial information and tamper with bank transactions to their advantage. If you are a banking company, attacks like these due to poor authentication can disrupt your business beyond measure.
Additionally, in the case of cyberattacks like Ransomware, the hackers might ask for a massive ransom for not disclosing the data publicly on the dark web, which will mean a significant cash outflow.
If your client's data is lost in an attack, they will likely sue you for reputational and financial injunctions. These mammoth lawsuits are bad for your business operations and will dry up the efficiency.
Furthermore, various governments in South America are clear about how you collect, utilize, store, and protect users' data, failing which, you'll be attracting legal proceedings and penalties.
Data Protection Law in South America
Out of the 14 countries in the South American continent, 8 countries have enacted data protection laws. For instance, Lei Geral Dae Proteção de Dados Pessoais (LGPD) in Brazil, Protection of Private Life (Law No. 19.628 of 1999) in Chile, Personal Credit Data Protection Law or Credit Data Law in Paraguay, Ley de Protección de Datos Personales y Acción de Habeas Data (Law No. 18.331) in Uruguay, etc.
Here are a few general guidelines governing the collection and storage of users' personal information -
Explicit Consent: The data should be obtained and processed only after obtaining the user's clear, specific, informed consent.
Transfer of Data: Any transfer of user information, whether locally or internationally, should be made only after communicating the same to the data subject and obtaining explicit consent. Furthermore, consent should be allowed to be subsequently retrieved if the data subject so desires.
Security: All information stored or in transit should be safeguarded and not be utilized for any purpose other than for the data subject's consent.
Breach Notification: In case of any breach, the controller must inform the concerned authority within a reasonable timeframe stating the details of the breach, including the nature of the data affected, the data subjects involved, the risk posed by the incidents, and steps taken to address the breach.
On the other hand, Countries, including Bolivia, Venezuela, etc., that don't have a data protection law in place value privacy as a fundamental right. The concept of Habeas data, i.e., the right of individuals to access, rectify, update, and delete personal data collected and stored by third parties, holds a special significance in the region.
Security Checklist to Launch a Mobile App (iOS and Android) in South America
Incorporating the following mobile app security checklist in South America before you launch your Android or iOS apps will help you ensure mobile app security and prevalent Data Protection Laws:
Ensure Code Obfuscation
It implies creating an application code that is difficult for hackers to comprehend. The obfuscators automatically convert the programming code created by developers into a format that humans can not understand. It is done to prevent hackers from reverse engineering the code and ultimately prevent data loss.
Code obfuscation includes:
- Encrypting a part of or entire code per se
- Hiding metadata which may reveal the libraries or APIs used
- Relabeling variables and classes so that they cannot be guessed
Reduce Application Permissions
Permissions and privileges indeed give applications the fluidity to operate more effectively. However, it is also true that they make your app more vulnerable to hackers' attacks. Hence, configure your application so it doesn't seek permissions beyond its functional area.
An effective way to achieve this is to develop new libraries that seek restricted permission instead of recycling existing ones. Similarly, the application should not ask for privileges it does not require, for instance, to make calls, access location, etc.
Ensure Authentication Between Client-Server
Though server authentication is not mandatory in SSL/TLS protocols, observing it will protect your servers from attackers spoofing it.
Additionally, your app should never store or modify passwords on its own; instead, resort to storing them on the secure facilities provided by iOS. Avoid sharing unencrypted passwords over a network connection. Lastly, use robust password policies, including password strength, expiration, limit number of characters, etc.
Strategic Installation and Loading
Avoid using custom install scripts and installing components in /Library/StartupItems or /System/Library/Extensions. These programs must be carefully checked for security vulnerabilities because the code installed into these directories operates with root permissions.
An efficient way to ensure safe loading is to take libraries and plug-ins from secure locations. If you fail to do so, an attacker might fool the user into downloading faulty and malicious code, which your application might then load and execute.
Periodic Security Testing
Given the stringent data protection regulations in the South American continent, you should ensure that your app is secure and protects your customers' information. In furtherance, it is essential to test your security application frequently.
Further, periodic Penetration Testing and Vulnerability Assessment is the best defense mechanism to ensure the security of South America's mobile app.
What is Penetration Testing?
Penetration testing is an intentional attack on applications, simulated by professional pentesters, to identify security flaws. The objective is to locate and point out vulnerabilities in the security architecture of your application that unauthorized users and hackers could exploit. Pentesters also suggest mitigation strategies to tackle those vulnerabilities before the hacker can exploit them.
What is Vulnerability Assessment?
Despite adhering to a robust security checklist, your application might have a few commonly known vulnerabilities, such as weak authentication, cryptographic failures, SQL injection, outdated components, etc.
Vulnerability Assessment is a systematic testing process that identifies these vulnerabilities using automated testing tools like web application scanners, protocol scanners, network security scanners, etc.
While identification is the primary step, the ultimate objective is to classify and prioritize these vulnerabilities based on the severity level. The process also involves a remediation guideline that helps businesses with optimum resource allocation to prevent security attacks.
How to Choose the Best Pen Testers in South America?
Having established the importance of pentesting, the real question is choosing the best pen tester in South America. Considering the following pointers can help you pick the best fit.
Evaluate PEER (Profile, Expertise, Experience & Review )
Your pentester will have access to sensitive data; hence, it is mandatory to ensure they are trustworthy and won't misuse your data. Evaluating their profile and customer reviews could come in handy to establish the same.
Secondly, comparing the experience and expertise of all the potential pentesters you are considering would give you a preliminary clarification about their knowledge and delivery module. This will ultimately let you choose the one whose methodologies align the most with your requirements.
Check Certifications and Testing Methodology
Ensure your pentester has the desired skills and ability to conduct an efficient pen test. To do so, check whether they have top industry-recognized certifications such as CEH, GWAPT, GPEN, SANS GXPN, and OSCP.
You want a pen testing vendor that uses new-age technology, is proficient with all the latest updates, and has robust processes. This will ensure that your testing is conducted effectively and efficiently without any hindrance.
Ensure Data Security
Since private and sensitive data is involved here, ensure your pentesting vendor has a robust data policy to safeguard the data before, during, and after the test. Ask them data security-related questions such as -
- How will the data be stored and deleted?
- How will the data be transferred?
- What will be the period for which it will be stored?
Check Reporting Capabilities
Ask the pen testers you are reviewing about the attributes they will include in the final report. Also, ask for sample penetration reports and check if it contains a detailed list of security threats, an overall vulnerability landscape, and detailed steps to mitigate them.
Additionally, check that the report is an apt mix of technical jargon for those requiring comprehensive information and accessible language for non-technical people.
How to Choose the Best VA Solution Provider in South America?
Give Priority to Experience & Deliverables
If you want a good return on investment, choose a Vulnerability Assessment Partner with immense industry experience, employs relevant use cases, and delivers minimal false positives.
It is also essential to understand the complete scope of testing. It shouldn't be just about the list of scanning tools; your VA partner must communicate a clear and chronological framework of the steps they will execute and the deliverables you'll get.
Bonus Tip: Choose a VA that offers comprehensive testing capabilities and a detailed report based on the CVSS score, including the assets affected, types of probable attacks, the period for which a vulnerability stayed unpatched, and the availability of the patch.
Look out for Comprehensive Testing
The underlying objective of a VA is to scrutinize the application entirely and identify any hidden vulnerability. Hence, choose a VA partner who provides the following service suite-
- Fully automated Static Tests (SAST) to incorporate security framework into existing SDLC processes and improve the app's time-to-market.
- Fully automated Dynamic Tests (DAST) using test cases to highlight vulnerabilities.
- Dynamic API Testing to scan components interacting with your server and secure all vulnerable endpoints.
Rely on Credentials and Experience
Assess and vet credentials and experience in the relevant industry. The vendor you select should have a team of qualified and proficient testers with a record of conducting an efficient Vulnerability Assessment.
They should be able to assess various types of systems and networks, including cloud, on-premises, and hybrid environments. They should also be able to identify configuration issues in all tools used for IaaS, PaaS, or SaaS.
Evaluate the Reporting and Compliance Structure
More than just identifying the vulnerabilities won't solve the purpose; your VA partner should also suggest a remediation strategy by prioritizing the vulnerabilities based on severity.
Furthermore, the vendor should perform the testing within relevant legal and regulatory compliance guidelines.
As an app developer, it's crucial to be proactive about security. This Android and iOS App Security Checklist makes that easy - providing the framework for comprehensive testing. However, to avoid getting into the nitty-gritty, you can choose Lugapel or Shield Force for securing your mobile apps in South America.
Lugapel ensures that businesses are safeguarded against cyber threats with the best-in-class cybersecurity services. Their attentive approach enables companies to build secure development capabilities and guarantee safety from malicious attacks.
Shield Force stands out as Mexico's premier provider of comprehensive cybersecurity services, driven by a customer service-oriented culture and staffed with certified professionals who bring years of expertise based on international standards and industry best practices.
Creating a secure mobile application for South America requires complete dedication to innovation, attractive UX/UI design, and comprehensive testing. Security should be at the heart of your Software Development Lifecycle (SDLC), as cybercrime in this region is particularly serious - leaving no room for any risk-taking or compromises regarding safety measures.
By adhering strictly to the mobile app security guidelines, you can guarantee that your users can access only the best quality products and services.