Options for app security

15th August 2019

Most of us use mobile devices in our day-to-day activities. Apps used on these devices often hold personal data for user convenience, functional operations, or even marketing purposes.  It is essential for organisations to ensure that any personal data they store is safe and secure.

Security is what organisations do or use to keep your data secure, including for their apps. It is initially considered during the design and development of an app, and should ensure an app is secure whenever the personal data made available to it is processed– this is a concept known as data protection by design, which is enshrined in law under the General Data Protection Regulation (GDPR). Data protection by design means integrating effective privacy-enhancing measures and safeguards supporting the principles of data protection, including security, into personal data processing projects such as apps, at an early stage and throughout the lifetime of the app and any related processing.

App security - authentication

Users can also take steps to ensure the personal data they have stored on or by an app is kept secure. There are a number of ways that an app can restrict use and access to its data, typically by needing to verify the identity (authenticate) of anyone using it. This is most commonly done by way of passwords that a user creates for the app or the service the app connects to.

Some apps, such as email apps, banking apps and social apps also allow for two or more steps for this identity verification.  Having two or more steps for identity verification means that following the password entry step, the app would then look for another proof of the user’s identity, which could come in the form of:

  • Codes sent by SMS,
  • Authenticator apps,
  • Smart cards.

Not all apps offer this multi-step identity verification and different apps can use it in different ways. So, it is important that you research if they are available and how the app lets you use them. Using multi-step identity verification can greatly increase the security of the data held by the app.

Another form of verification of identity that can be used is by biometric identity. This can take the form of:

  • facial recognition,
  • a fingerprint scan,
  • voice recognition, or
  • a retina scan.

However, as the use of biometric data itself raises serious data protection and privacy issues, and biometric data points cannot be reset (changing fingerprints/irises/faces is difficult), their use should only generally be optional and in conjunction with other reliable authentication methods. Controllers should also ensure that any use of biometric data is in line with the requirements of both Article 6 and Article 9 of the GDPR, regarding the lawfulness of processing special category personal data.

For more on data security for organisations, read our Guidance for Controllers on Data Security.