Is it required for an app developer to know information security?

Question

So I've been an indie apps developer for 2 years (I launched my first Android app at the end of 2017), and I've built few apps since then, but all of them were simple apps.

Currently I'm planning my next project, and in this next app the user will store sensitive data in the app (It'll be a Calendar App), and I'm planning on storing the data outside user's device (I'll probably use one of Firebase's services) for backup purposes, and to sync data between different devices, so I'll need to encrypt and secure the data.

So I've been wondering is it required of an app developer to learn information security (I literally don't have any experience or knowledge about information security) or it'll be enough to use libraries made by other people for encryption purposes?

Answer 1

You need to understand basic security concepts. But you do not have to be an expert.

Where possible, using existing libraries is vastly preferable. Especially things like encryption are impossible to get right for us “mere mortals” and even the experts occasionally make very dumb mistakes.

However, you need to know when and where to apply existing security techniques. Things like: where does encrypt make sense? How do I have to perform authentication? It can help to know common classes of vulnerabilities. Here, a look at the OWASP Top Ten list for Web and Mobile (outdated) can be helpful.

You may be subject to regulatory security requirements such as the GDPR. Under the GDPR, the “data controller” must apply appropriate security measures, taking into account the state of the art. But knowing which measures are appropriate and which are state of the art requires a basic knowledge.

Occasionally there is news about a company that was fined for a data breach, but that is misleading: they are never fined for the breach itself. However, those companies often failed to apply appropriate safety measures.

Even in countries without such requirements, an app provider may be liable when a data breach causes economic damage to users (compare Equifax in the US). Knowing and applying security is then a liability management strategy.

Answer 2

Required? No. There's no licensing for app developers after all. Prudent? Absolutely.

And bear in mind that while the heavy lift of, e.g, implementing an encryption library, has been done by experts you still have many crucial choices to make. Stream or block cipher? Pre-shared keys, Diffie-Hellman, or PKI? How will you ensure data availability across devices? Etc, etc, etc.

Mess up your security architecture -- your app's ability to ensure data confidentiality, integrity, and availability -- and it won't necessarily matter if you've used the best crypto libraries.

There are tons of information assurance/InfoSec/cybersecurity courses and resources available online -- Coursera, edX, MIT, and plenty of others.

Answer 3

While the "heavy lifting" of constructing a crypto algorithm infrastructure might have been done by the people who work at agencies with three-letter names, it is absolutely crucial that you use them in exactly the right way. Otherwise you might believe that your system is secure when it is not.

The Germans thought that Enigma was secure when it was not, and the biggest reason why it was not secure was a combination of user error in the U-Boats and flawed network design at headquarters.

The essential principles of information security are well-described and not particularly difficult to understand. But they are subtle.

---

You should never attempt to "roll your own" process ... a thing which is very rightly derided as "snake oil." You should use a recent, off-the-shelf, peer-reviewed subsystem and use it exactly as its designers intended and specified.

Remember that there is never "security by obscurity." You must presume that "Eve" knows everything about the system that "Bob" and "Alice" are using.

The various books that discuss "PCI Compliance" are excellent sources. Likewise "HIPAA Compliance." For any system with serious information security requirements, you should pay for experts to conduct peer review of your implementation.

Answer 4

... in this next app the user will store sensitive data in the app ...

storing the data outside user's device ...

I'll need to encrypt and secure the data.

is it required of an app developer to learn information security?

Short answer: Hell yes!

This posting may be focused primarily on Web Development, but most of the topics listed are common across the software world.

Obligatory XKCD reference: Exploits of a Mom