Data Leakage

App Development: Avoid Data Leaks!

By Andre Luiz R. Silva on

If even Facebook  can suffer from data leaks due to app development flaws, the problem is really huge. And what’s worse is that concern for security during software creation is not nearly as important as it needs to be. Many developers don’t offer the service or even discuss the subject.

So that’s why the position of security evangelist is still a rarity in companies, even though it’s been around for years. That’s the employee concerned with disseminating security techniques and practices to all levels and teams, including those responsible for the apps. Note: When we speak of apps here, we are referring to both mobile and desktop programs.


Why take security into account when developing apps?

First, so that clients’ and/or employees’ credentials (logins and passwords) or credit card data are not leaked, of course. With the General Data Protection Regulation (GDPR) and similar legislation now in place, being alert so that hackers don’t invade your systems or apps is an attribute that avoids legal problems and demonstrates proper respect and consideration for your employees and customers, thereby creating bonds of trust.

In addition to stopping leaks, you must be on guard to prevent a “snowball effect.” The longer you delay in protecting data and lines of code, which are constantly increasing over time, the more expensive the whole process will be—and much more of a headache.


Are web apps more secure?

The increase in the use of cloud services (or more specifically, cloud computing) is an indisputable fact. According to Statista’s data, the slowest growth rate since 2011 in the cloud services market was in 2017, which showed an increase of “only” 12.4%. In 2018--the year that experienced the fastest growth—the worldwide increase in the use of this type of platform hit 25.5%.

This is a significant migration, as, for example, many companies no longer have a physical space dedicated to computers that store all their data. So some security advantages have emerged. When using a company’s intranet (a network within companies that allows file sharing without accessing the Internet) or internal emails, many people used to use (and still do) VPN connections to access systems when they are away from the company’s physical location. Breaches can then occur that enable hackers to execute invasions.

But the increased use of the Internet is no indication that the environment is 100% more secure. According to this year’s Data Breach Investigations report from Verizon, server leaks related to payment transactions outside the web are still in the majority, though their number has diminished. Meanwhile, card data leaks from servers like Webapp are constantly on the increase (and tend to exceed the other types). So be especially careful about where you put your credit card data!

To summarize: Web app or not, mobile or desktop, development must be carried out that protects information data in the best possible manner and continually implements updates.


What steps should be taken to create secure apps?

There is a series of more effective steps and procedures for good protection and security in app development. The main objective of the practices is to comply with the Software Assurance Maturity Model (SAMM), which was created by the Open Web Application Security Project (OWASP). It is a guide (or maturity model) designed to inform secure development in the most efficient manner possible.

Conviso is a company that specializes in app security work. They provide services whenever needed to work on data protection software. So check out their interesting article on how to enhance security in app development; the article also includes a review of the entire OWASP SAMM.


What app data might be leaked and where does it go?

Verizon’s report on leakage also shows that in 2018 the two primary types of data leaked (which are linked in most cases) are credentials (logins and passwords) and internal information.

Our detections here at Axur concur with those findings: The sites where we see the most data and information leaks are repositories such as Pastebin (which is an anonymous means for sharing text files) and GitHub (a hosting platform for source codes). In addition, of course, to the innumerable lists that are transacted on the deep and dark web.


If you would like to have a team (of humans and robots) to help you with monitoring, why not use the Axur One platform with the Programming code leakage solution? You can also receive constant alerts regarding password and credit card BIN detections. Visit Hashcast and Cardcast.



Eduardo Schultze, Coordenador do CSIRT da Axur, formado em Segurança da Informação pela UNISINOS – Universidade do Vale do Rio dos Sinos. Trabalha desde 2010 com fraudes envolvendo o mercado brasileiro, principalmente Phishing e Malware


Andre Luiz R. Silva

A journalist working as Content Creator at Axur, in charge of Deep Space and press activities. I have also analyzed lots of data and frauds here as a Brand Protection team member. Summing up: working with technology, information and knowledge together is one of my biggest passions!