A good thing about tech start-ups is how quickly they are able to learn from their mistakes. Just weeks ago Snapchat, a popular photo messaging application founded by two Stanford University students, was hacked and details of more than four million user accounts were leaked online. Hackers claimed their motivation was to raise awareness of the vulnerabilities of the app. In response, two weeks later the company introduced a new way of verifying user accounts, in a bid to prevent hackers from recreating their stunt. While this was certainly a step in the right direction, this new feature has already been breached by a security researcher, thus highlighting an important lesson around app security for all start-ups.
It remains true that most start-up companies have a modest start. They are understaffed and with small budgets, but have a really great idea. Their main focus is to use the limited staff and resources available to do everything possible to make their dream a reality. Unfortunately, this most often means that proper security testing of their application falls to the side as a non-critical task. This is a serious problem, as most app vulnerabilities are best addressed at the development stage. Once an app is in operation, it becomes very difficult to mitigate lack of appropriate security measures, as we've just learnt from Snapchat.
Often, a lot of the vulnerabilities lay in the types of permissions requested by an app, which are decided during the development stage. The trouble with the permission systems is that many permissions are rather broad in scope – for example almost every app nowadays requires access to the Internet. In the case of Snapchat specifically, the app doesn't have an unusual number of permissions, but the way data is accessed and transmitted is what makes it so insecure. There are also other considerations – start-ups who design apps for iOS rarely come across this type of problem because Apple has a very thorough app review process, which includes code review for potential flaws. While great for security, it seriously slows the release of new iOS apps. Android on the other hand, has no formal review process, which is good for fast releases but less secure, as the responsibility for the security of apps falls on developers.
Although today's computer science degrees already put a strong emphasis on security in programming, humans are still prone to error despite their best attempts at designing and writing secure applications. Although start-ups are generally on a very tight budget, in today's security environment, stress testing new applications for security flaws needs to be part of the development cycle. It doesn't need to be expensive, as there are a number of tools available which analyse code looking for common vulnerabilities, but it does require a change in approach. Start-ups need to start putting security at the heart of their operation – or be prepared to face the consequences that cost Snapchat so dearly.