By Andrew Gauvin and Iurii Oliiar, Freeport Metrics

If your business relies on selling anything online, payment is central to your company’s success. A web security strategy is no longer enough – following are seven factors to consider when securing mobile payment apps.

1. Invest in Native Mobile Not Just for Better UX, but Also for the Best Security

Businesses have spent countless dollars and hours building security into their web-based ecommerce solutions. Many are tempted to skip retraining and retooling and just create a mobile-optimized version of their site. But there is a world of difference between native mobile payment applications and mobile-optimized websites.

Native mobile applications are inherently more secure than web applications. When you install an application on your computer, you give it permission to read your keyboard and other functions. But when you install an app on your phone, it is controlled by Google or Apple. The app stores require developers to follow security best practices, enabling the platforms from Apple and Google to carry much of the security load.

2. Rely on the Platform for Your Payments

You also can rely on the platform for payments. You do pay for that privilege when relying on the payment schemes from Apple and Google. These big players will charge something like 20% of the purchase while Amex might charge 4%. But users love the experience - they can simply click the “buy now” button, provide their thumb or face for verification, and payment is processed through Apple’s iTunes or Google Play. It can be worth it to trade a lower margin for a superior customer experience and significantly better security. The investment pays off over time. The cost of integration and maintenance of these payment solutions are also lower upfront so better for early minimal viable product (MVP) test launches.

3. Explore Mobile Encryption Methods

Every time you require a user to type in their credit card, Social Security, or drivers’ license number, you are adding data to their device storage that you must protect. Consider fingerprint scans or encrypted photos of credit cards rather than ever capturing users’ personally identifiable data.

4. Secretly Store Sensitive Information  

If you must store sensitive information, add security protocols. When using temporary memory, do a cleanup right after the data is processed. Don’t just mark memory as free for re-use – make sure to actually erase string data.

To ensure an even higher standard, apply an extra layer of encryption such as the AES algorithm for symmetric encryption / decryption and RSA public-key algorithms. For one-way verification encryption, use a one-way hashing algorithm like SHA-1. “White box” the permutations of code and key value to provide security even in an environment where an attacker takes control of a device.

5. Safely Transfer Data

Completed transaction data must be passed to the payment gateway. Add extra levels of security on top of the communication protocol and use a function such as certificate pinning to help check that the gateway itself is not compromised. From the mobile side, to prevent attacks when data is repeated (so-called replay attacks), send some unique data such as a fingerprint that expires after the response is received. 

To protect data from being appended by extra data, implement an integrity check such as CBC. And finally, to avoid leakage of code logic, use code obfuscators.

6. Invest in Penetration Testing

Once your mobile application is ready, hire someone other than your developer to test it. Make sure it is a team or company well versed in mobile security – deep expertise in web-based banking apps doesn’t count. To test a native mobile app, you need a mobile expert. Eliminate security concerns and discover security issues before they creep into production. Consider dedicating a part of your budget for a bug bounty program to discover bugs in the production environment and help prevent any types of exploits.

7. Balance Risks Against Regulations

While everything in this article is designed to urge you to implement tight security protocols, when you create your own checklist be sure to think pragmatically through the security risks of your specific app; don’t just check off the boxes for regulatory reasons. Match the level of security with the business function you are protecting, and don’t get distracted by deep theoretical security flaws that are not applicable to your case. For your app, should you be concerned if the OS itself is compromised by users rooting it or some future found vulnerability from Apple or Google? Much of the “mobile security” at tech conferences can cover these extra high security concerns for the platform builders, but might not be applicable for your app.

With planning and focus, you can combine UX improvements and security improvements on a native mobile app. Spending the time up front will help you avoid costly and reputation-busting security breaches while making users more excited to use your app. After all, security is not a side feature of your application, it is a core function. Invest in the people, planning, and testing that will make it pay off over time.

Andrew Gauvin is Founder and CEO of Freeport Metrics, and Iurii Oliiar is Senior Developer. Based in Portland, Maine and Warsaw, Poland, Freeport Metrics develops custom applications and software that helps clients solve challenges and bring ideas to life.