3 Security Tips for Tracing App Developers

Tracing apps are all the rage these days, and in my security research lab, I have looked at several of them and analyzed their design and operations. Here are three things I would want the developers of these apps to keep in mind if they build future apps like this or update their existing apps.

1. Make sure the application uses certificate pinning for reporting data upstream. This control significantly reduces the risks associated with someone impersonating the upstream servers to intercept or tamper with the relevant data sent from the app to the centralized systems for analysis. Right now, few of the apps I saw took this precaution.
2. If you’re going to use bluetooth or any other localized protocols on the mobile devices for data gathering, make sure that you have adequately secured your code against input validation and protocol tampering issues. This is pretty much best practices for mobile application development (or most any kind of application development), but again, several of the apps I looked at were using localized protocols and seemed to be doing very little to secure those communications. Potentially, this exposes the entire device or the app data itself to compromise.
3. Please make sure you are anonymizing any data sent in the clear, or better yet, encrypt the darn data! Again, this is appsec 101, but in my…