GDPR Compliance for Mobile Apps
Many mobile apps handle PII (Personally Identifiable Information), which can be as simple as person’s name, phone number and address. Or it can be as complex as their fingerprint details captured via mobile device and the app running on it. The GDPR compliance (General Data Protection Regulation) mandates that the security of such data must be ensure. This article brings clarity on all the points should be considered to make the android or ios mobile application compatible to GDPR standards.
Its a myth that Mobile app do not require to comply with GDPR. Those most certainly do.
GDPR does not have specific guidelines for mobile or web app. However the following list of technical and design concepts are to be taken into consideration.
1. Data In Transit Security – In almost all cases the mobile app makes calls to the backend server, in order to fetch or store data. This backend can either be a hosted server , or a cloud based service. While being connected to the backend services, the mobile app is supposed to ensure data channel security. Typically HTTP is used for this, but new generation of apps are encouraged to consider additional encryption on top of the existing SSL/TLS channel. Similar to Data at rest encryption, even in this case the level of encryption is very important to be checked.
2. Data At Rest security – When a mobile app is handling or processing PII, it is important to check whether or not the information is being stored on the mobile device. If that’s the case, then it is important to ensure that the information is stored securely. This boils down to encrypting the data, and using the adequate level of encryption. Data at rest security is very important in GDPR compliance because most of the attacks tend to emerge from it. There are different ways to store and encrypt the information being stored on the device, especially for Android and iOS platforms. Furthermore using mobile software development frameworks complicates the matter to secure the data at rest.
3. Data At Still Security – Its very important to understand that the data is always stored and available on the mobile device, even if the application is not running. Checking security of the data in such state is also important for android and ios applications .
4. Security by design – While a vulnerability assessment and penetration testing of mobile app is imperative for ensuring security, GDPR expects to ensure that the entire design of mobile app takes into account the data security. This means that all the technical components which form the business eco system around that mobile app, need to think about security. A careful architecture review of the design, from information security standpoint, and a detailed threat modelling is expected to be carried out.
5. Tamper detection – Many mobile apps (especially Android platform) are found to be susceptible to devices which are not in a secure state, even prior to installing and running of your application. In technical world, its called as rooting a phone or jailbreaking a phone. Thus the responsibility lies on mobile app developer to ensure that their app detects such a malicious stage of the phone device before the app gets installed and runs.
There are multiple technical tests that need to be performed to achieve each of the items mentioned above. A VAPT test of the mobile app is recommended along with the above items, to get it GDPR compliant. Since there are multiple vulnerabilities, attack patterns and platform changes (android and iOS) happening every day, it is recommended to make such a compliance check a periodic activity.
More Relevant Links Below