Future Generali Life Insurances 9 practices for enhancing app security:
1. Writing secure code: Bugs and vulnerabilities in a code are the starting point most attackers use to break into an application. Attackers will try to reverse engineer the code and tamper with it, and all they need is a public copy of your app for it. FGLI keeps the security code in mind from day one and hardens its code, making it tough to break through. It obfuscates and minify the code so it cannot be reverseengineered. FGIL also keeps our code hardened and follows code signing.
2. Encrypt call data: Every single unit of data that is exchanged over the FGIL app is encrypted. This means that even if data is stolen, there’s nothing criminals can read and misuse. You can understand the power of encryption when organizations like FBI and NSA are found asking for permission to access iPhones and decode WhatsApp messages. If they can’t break through wilfully, hackers sure can’t.
3. Extra cautious with libraries: When using third-party libraries, FGLI take extra care and test the code thoroughly before using them in its app. FGIL believes developers should use controlled internal repositories and exercise policy controls during acquisition to protect apps from vulnerabilities in libraries. FGLI constantly keeps the library, framework, and development tool up to date. And it only uses trusted sources for frameworks and libraries.
4. Authorized APIs only: APIs that aren’t authorized and are loosely coded can unintentionally grant a hacker privilege that can be misused badly. For example, caching authorization information locally helps programmers easily reuse that information when making API calls. Hence, FGIL recommends and follows APIs that can be centrally authorised for maximum security.
5. High-level authentication: In the wake of the fact that some of the biggest security breaches happen due to weak authentication, it is becoming increasingly important to use stronger authentication. Hence, FGIL designed its apps to accept strong alphanumeric passwords and at stages, multifactor authentication which involves dynamic OTP. 6. Principle of least privilege: FGIL ensures that the code shall run with only the permissions it needs and no more. FGIL app doesn’t request any more privileges than the minimum required for it to function.
7. Session Handling: Sessions on mobile last much longer than on desktops. This makes session handling harder for the server. FGIL uses tokens instead of device identifiers to identify a session. Tokens can be revoked at any time, making them more secure in case of lost and stolen devices. 8. Cryptography tools & techniques: Key management is crucial for encryption efforts must pay off. FGIL does not hard code keys as they make it easy for attackers to steal them.
9. Test Repeatedly: New threats are emerging every day hence regress testing is needed to stay protected. FGIL conducts regular vulnerability assessment and penetration testing, of our apps for vulnerabilities. The company fixes them with each update and issues patches when required.