Ultimate Security Checklist to Launch a Mobile App in Indonesia - iOS & Android

The Association of Southeast Asian Nations (ASEAN) region, including countries such as Singapore, Malaysia, Thailand, and Indonesia, is the fastest-growing digital market in the world. Mobile applications have become increasingly integrated into daily life in terms of financial transactions, eCommerce, healthcare avenues, and service deliveries. 

That being said, Southeast Asian countries are witnessing a high surge in cybersecurity attacks on mobile applications.

In 2022, 94% of businesses in the region saw an increase in the volume of cyber attacks.

New and unforeseen threats continue to quiver businesses of all sizes and domains. Hence, detailed incorporation of application security protocols is necessary to comprehend, control, and mitigate risks.

Are you planning on releasing a mobile security app in the bustling Southeast Asian market? If Indonesia is on your radar, then it's important to understand the strict data protection laws. Luckily, our informative blog delves into the nitty-gritty and provides a comprehensive checklist to ensure compliance. 

And, to make sure your app is top-notch, we are also sharing tips on choosing the right security testing partners. Before we get into all that, let's explore the dangers of an unsecured app.

Consequences of Building and Launching an Insecure Application

Code Tampering Attacks

If an app has insecure deserialization, an attacker can enter unauthorized code within the application remotely, interfere with it, and eliminate serialized objects. He can also initiate free access to paid privileges and inject malicious codes.

Data Breaches

Insecure code or an insecure network configuration between the mobile app and servers allows an attacker to access data stored on the app. This data might contain confidential user information such as bank account or debit card details, usernames & passwords, and other contact information. A data breach would entail losing all this data, which might further cause identity theft or other malicious data tampering.

Business Disruption

Security is paramount to maintaining customer trust and loyalty in today's digital age. Any breach of your application could signal a lack of integrity and put your business at risk. If news of the breach becomes public, it could be catastrophic for your reputation, possibly resulting in losing customers and opportunities. 

Financial Loss

Did you know that application security attacks can wreak havoc on your financial and legal standing?

The potential data breach cost is staggering, with projections indicating that it could soar to $5 million by 2023. 

Beyond the immediate financial hit, losing vital information may result in steep compensations, fines, or penalties, compounding your woes. Therefore, prioritizing and investing in application security is a wise and essential decision to steer clear of such thorny predicaments.

Now that you know the significance of mobile app security, let's look at the data protection law in Indonesia. 

Data Protection Law In Indonesia

Personal Data Protection Law in Indonesia came into force on 17 October 2022, requiring businesses to handle and process data in a certain way. Following are a few key points mentioned in the law:

Consent Requirements

The PDP Law mandates that controllers must obtain clear and explicit permission from individuals before using their personal data. Any data processing must be done only for the stated purpose, and the individual must be fully informed before giving their consent.

The law also states that controllers are supposed to adhere to data protection principles. They must also process personal data only in a limited, transparent, specific, and lawful manner. Additionally, the processing must be accurate, transparent, secure, and responsible. 

Obligations for Processors

The Indonesian PDP Law requires processors to comply with the enlisted provisions, including-

• Ensuring the correctness and completeness of personal data.
• Implementing appropriate operational and technical steps based on the risk posed by the data.
• Maintaining confidentiality of personal data.
• Preventing unlawful access and unauthorized processing of personal data.
• Recording all processing activities.

Cross-Border Data Transfers

Suppose the data is being transmitted outside Indonesia. In that case, the PDP law requires the controllers to ensure that the data protection level in the recipient country is equal to or higher than the PDP Law. 

Furthermore, in cases where the level of data protection cannot be established to be equivalent or greater, data transfer can still happen if consent for transfer is obtained from the data subject.

Penalties and Liabilities 

• A written warning
• Temporary suspension of processing activities
• Mandatory deletion of personal data
• A fine not exceeding 2% of annual revenue or sales of the data controller

Criminal Liability

In addition to confiscating profits or assets, as the case may be, authorities can impose the following penalties on both individuals and organizations -

• For intentionally collecting or using a user's data: maximum imprisonment of five years and/or a maximum fine of 5 billion Rupiah.
• For intentionally disclosing a user's data: maximum imprisonment of four years and/or a maximum fine of 4 billion Rupiah.
• For intentionally creating false personal data: maximum imprisonment of six years and/or a maximum fine of 6 billion Rupiah.

Security and Data Breach Notification

PDP Law requires organizations to adopt security measures to safeguard personal data. This includes preparing and implementing an operational course of action and risk-based approach to ascertain an appropriate level of data security. 

Controllers must submit a written notification to the concerned data subject and authority in case of a breach within three days. The notice should contain details like the data involved in the breach, the place and time of the breach, and the remedial measures undertaken for damage control. 

Security Checklist to Launch a Mobile App (iOS and Android) in Indonesia

Compliance with Data Protection Law in Indonesia requires incorporating a robust security mechanism into your application. The following layered approach will help you ensure the same. 

Secure the Code

Source Code is where all the critical information is stored; hence, it should be obfuscated so that it becomes too complex for hackers to break into. Furthermore, the application should collect as much information as necessary and store sensitive information separately from non-sensitive information.  

Additionally, input validation methods should be incorporated to ensure the entry of only adequately formatted data, thus blocking malicious codes and preventing injection attacks like cross-site scripting and SQL injection.

Secure the Data

To secure the data in transit and at rest, it is crucial to have a comprehensive data security policy and configure it to control and protect sensitive data on-premise, in the cloud, and across hybrid environments.

Measures like static and dynamic data masking, tokenization, and encryption also help to secure the data. However, for tokenization to work, you need to control the access to data and centrally manage, secure, and control cryptographic keys. 

Secure Authentication and Authorization

By implementing mobile app authentication and authorization in Indonesia, you enforce the appropriate controls to mitigate password-guessing attacks and data breaches.

Authentication Methods include implementing strong password rules, supporting single sign-on, and implementing two-factor and multifactor authentication (2FA and MFA).

Implementing authorization methods block privilege escalation attacks, i.e., blocking the hackers from accessing and changing privileges to expand access.

Periodic Security Testing

Recurring Penetration Testing and Vulnerability Assessment offer the best defense against hacks and ensure mobile app security in SEA.

What is Penetration Testing?

Colloquially known as pentesting,  it is a simulated attack on applications done to identify security flaws. The goal is to highlight exploitable vulnerabilities in the security architecture of your application and provide mitigation strategies to eliminate them before a hacker can exploit them.

To sum up, it is a process where the testers think like a hacker to stop the hackers.

What is Vulnerability Assessment?

It is a process that utilizes automated testing tools to identify known vulnerabilities in your application, like SQL injection, faulty authentication, etc. The goal is to prioritize vulnerabilities based on severity levels and provide a remediation guideline.  

It helps businesses identify the areas where resources must be allocated to prevent sophisticated attacks.

How to Choose Pen Testers in Indonesia?

1) Evaluate Expertise & Experience

When selecting a partner, evaluate both the company's expertise and the credentials of the testers who will be conducting the test.

When it comes to experience, it is more the merrier. While the company experience will tell you about techniques, execution, and documentation, the individual partner credentials will tell you whether the candidate is qualified for the job. 

2) Assess the Scope of Your Penetration Test

Choose a pen testing partner who aligns with your security objectives and provides a clear and complete blueprint for the test. It should include the following-

• The assets or components that are being tested
• Method of testing
• Reasons justifying the testing 
• People responsible for the testing
• Place and time of the testing 

3) Ensure Data Security

Conducting penetration testing would involve granting a 3rd party access to sensitive and private data. If this information is not handled securely, it might result in data theft or leakages. With such higher stakes, it is vital to vet the partners for integrity and discretion. To ensure the same, you can ask them questions like:

• How will the data be stored and deleted?
• What will be the duration for which it will be stored? 
• How will the data be transferred? 
• Did the pen testing company ever face a data breach in the past?

4) Corroborate Comprehensive Reporting

Ask the pen tester to share a sample penetration report. Ensure that it includes a detailed list of vulnerabilities, an overall threat landscape, and measured steps to mitigate them. 

Further, the report should have technical terminologies for those requiring comprehensive information but also be easily understandable by non-technical people. 

How to Choose a Vulnerability Assessment Solution Provider in Indonesia?

1) Look for Rewarding Experiences & Deliverables

Your Vulnerability Assessment Partner should hold relevant experience in the industry and deliver a good return on investment. 

The partner should be able to subject the testing to relevant use cases, complete it time-efficiently, and deliver minimal false positives. 

2) Seek a Comprehensive Service Suite

Your VA partner should provide comprehensive tests and reports based on CVSS scores. Additionally, they should give you information like the assets affected, the type of actions an attacker can commit, the number of days a vulnerability stayed unpatched, and the availability of the patch. 

3) Evaluate Compatibility

Incorporating cutting-edge tech tools to detect vulnerabilities can meet initial resistance from your employees. Therefore, it's crucial to integrate these tools with your current systems seamlessly. 

To ensure success and ease of use, partnering with a VA provider with comprehensive coverage of significant applications, operating systems (including iOS and Android), and infrastructure components is critical.

4) Check if Vulnerabilities are Triaged Based on Severity

Merely identifying the vulnerabilities won't solve the purpose. The VA partner should systematically triage the vulnerabilities based on severity and provide an advanced remediation strategy to fix them.

The partner should also review the status of patch implementations that have yet to be carried out and follow up with IT Operations to ensure complete integration.

Mobile application testing providers and businesses must have a strong and transparent collaboration to mitigate security flaws and challenges. With the above checklist at your disposal, you can select a pen testing and VA partner that suits your requirements. 

Are you looking for top-tier security solutions in Indonesia? Look no further than Raditya Mulia Lestari. 

Raditya Mulia Lestari

The team at RML consists of certified technical experts providing a cost-effective solution that maximizes the benefits of protecting your Android and iOS applications in Indonesia. Trust them to deliver unparalleled expertise in safeguarding your mobile apps.

Takeaway

As mobile applications become more prevalent in Southeast Asia, the importance of cybersecurity cannot be overstated. With hackers constantly on the prowl, app developers must proactively safeguard their users' data. This means adopting a mindset of assuming a breach could occur and implementing comprehensive security protocols from day one.

In Indonesia, strict data protection laws make it especially crucial for app teams to prioritize security. One way to do this is by implementing testing mechanisms to identify and patch any weaknesses in the app's architecture before a hacker can exploit them. 

Following these mobile security checklist guidelines, app developers and businesses can confidently launch safe and secure mobile experiences for Indonesian users.