Security Checkpoints for App Developers and Startups#
When building an app or web service, it's easy to get so absorbed in feature development that you neglect security. But even a brand-new service can immediately face attack attempts through botnets, so it's important to build the habit of considering security from the very start.
In this post, I've compiled security points to keep in mind during service development based on materials I've researched.
robots.txt and Unnecessary Information Exposure#
Many developers write Disallow entries in their robots.txt file to block access.
The problem is that from a hacker's perspective, this information can serve as a hint that "there are important paths here."
So it's best to avoid directly exposing sensitive information or admin page URLs in the file.
Library and Framework Vulnerabilities#
Open-source libraries used in your service should always be kept up to date.
Hackers quickly exploit security vulnerabilities in specific libraries, so just knowing which libraries are being used can reveal attack vectors.
Libraries or products with default accounts or initial passwords must have their initial settings changed, and unnecessary features should be turned off.
Web Security Audits and Guidelines#
- You can quickly organize practical audit items by referencing the Web Server Security Audit Materials provided by KISA (Korea Internet & Security Agency).
- The Secure Coding Guidelines from the Ministry of the Interior and Safety are helpful at the code level.
- If you're a Flutter app developer, it's also great to check the Flutter App Security Guide. (I'm a Flutter fan, so...)
Personal Data Protection and Encryption#
In the past, sensitive data like national ID numbers could even show up in search results through Google Dorking techniques.
Things have improved significantly, but personal data can still be leaked from insecure servers.
Credit cards, user identification information, and authentication-related data must have encryption applied during storage, and HTTPS should be the default for transmission.
Penetration Testing and Practice Environments#
Nowadays, intentionally vulnerable virtual servers (Vulnerable VMs) are provided for educational and practice purposes.
When developers or security professionals practice attack techniques in these environments, it greatly helps in hardening actual services.
Account Security and Password Management#
To defend against brute-force attacks, passwords should be changed frequently, and on the server side, it's good practice to return results after a delay when login attempts fail.
This isn't the server being slow -- it's a defense technique that reduces attack attempts.
ISMS-P Certification Necessity#
Promising companies operating services in Korea will ultimately need to undergo ISMS-P certification audits.
Since it becomes mandatory above a certain scale, it's important to start preparing early and establish a security management system from the initial stages.
Code Obfuscation and Reverse Engineering Prevention#
When distributing an app, you should obfuscate the code to make reverse engineering difficult.
- In Flutter, you can use the
--obfuscatebuild option - For Android native apps, use ProGuard or R8
You can also consider detecting whether the app is running on a jailbroken device and blocking sensitive features accordingly.
App and server security isn't a "check once and done" deal -- it's something you need to keep paying attention to throughout the entire lifecycle of your service.
Building security as a habit from the early development stages can prevent massive costs and crises down the road.
Development Security Checklist
- Input validation for all external data
- Prevent exposure of error messages and system information
- Encrypt personal and authentication data (encryption during log/DB storage)
- No hardcoding of passwords, API keys, tokens, etc.
- Hide admin/important page paths (prevent exposure in robots.txt)
- Change all default accounts, passwords, and configuration values
- Source code obfuscation (Flutter: --obfuscate, Android: ProGuard, etc.)
- App integrity verification and tampering detection
- Rooting/jailbreak detection and blocking
- Encrypted input/virtual keypad for sensitive information (passwords, ID numbers, etc.)
- Authentication and authorization management (2FA, principle of least privilege)
- Session management and session expiration handling (session token protection and periodic renewal)
- Transport layer encryption (HTTPS/TLS-based data transmission)
- Vulnerability assessment using static/dynamic analysis tools
- Penetration testing and manual code review
- Secure storage and management of app signing keys (no uploading to public repositories)
- Immediate response and remediation upon vulnerability discovery
- Regular security training and trend sharing
- Pre-review and preparation for ISMS-P and other legal/certification requirements
- Real-time security monitoring and log analysis
We are the leaves of one branch, the drops of one sea, the flowers of one garden.
-- Jean Lacordaire
