In April 2016, the European Parliament and the European Council adopted the General Data Protection Regulation, also known as GDPR. It is intended to strengthen and unify the data protection for individuals inside the European Union. The regulation will come into effect in May 2018 and organizations across Europe are working hard to ensure their security policies comply with the new legislation. To facilitate that process, we will zoom in on the significance of the GDPR for the security of mobile applications.
The GDPR contains two articles that are relevant for mobile application protection.
The organizations concerned have to be able to show that the security measures mentioned in article 25 and 32 are in place and that compliance with the GDPR is monitored. The failure to adhere to either of these articles can result in fines of up to 2% of the annual worldwide turnover or €10 million (article 83).
Since mobile applications have become an integral part of data processing systems, it is important to know which measures can be taken to ensure the confidentiality of the processed data in the context of the GDPR. The most important vulnerability of mobile applications is that they can be reverse engineered in no time. This enables hackers to gain insight in the structure of the application, to extract information (encryption keys, API keys, etc.) that can be used to access private data and to tamper with the application to harvest user credentials. To counter reverse engineering and secure the users’ data, the applications must be protected using a double approach.
Protecting mobile applications is a crucial aspect of developing secure data processing systems. In addition, measures have to be taken to ensure the confidentiality of the data itself.