Platform, Connection, Security: A Guide to IoT App Development

App development has become an integral part of IoT device creation over the past decade. These days, it’s near impossible to find consumer connected devices that do not come with companion smartphone applications which offload most (if not all) of its display to the user handset. While a web-based UI will often be sufficient for industrial or enterprise-grade IoT devices, most manufacturers will have a hard time selling a consumer IoT device that can’t be controlled by the user’s smartphone. 

As IoT mobile app development has evolved into a required front end layer for the vast majority of today’s connected consumer products, device developers have some important decisions to make in creating an app which is safe, fast and affordable. Let’s sort custom builds from off the shelf platforms, and cloud connections from peer-to-peer, in this development guide to IoT apps.

The App: Custom vs. Off the Shelf

The first thing developers must decide upon when creating their app is whether to custom build or use an off the shelf application enablement IoT platform. It almost goes without saying that the decision to custom build should only be made by technical pros with plenty of time and budget on their side. This is because starting an app from scratch requires teams to design, build, test, and maintain each part of the IoT stack, including:

• Server deployment and maintenance
• Database build and maintenance
• UX and UI build
• Developing 3rd party connections and APIs
• Security considerations
• Access control
• Front end build and maintenance

While the finished product will be original, it will also require an average build time of 12 to 24 months.

Most developers simply do not have this luxury and opt for an off the shelf IoT application enabled platform (AEP). An AEP is a self-contained IoT environment that developers can utilize to build and deploy IoT products and services quickly, with well-known options including Azure IoT, AWS IoT, and IBM Watson. 

Developers should consider key factors like cost (particularly the cost of scaling your product when you take it to market), speed (what’s the maximum latency that’s acceptable to you?) and APIs (does the solution provide open API’s to glue the solution together with your own backend systems?) when differentiating between these AEP players.

The Connection: Cloud vs. Peer-to-Peer

Once developers have settled on their app platform, the next step is to consider the connection type. The standard option for most off the shelf IoT application enabled platforms is to relay client-device communication via the cloud. This database-driven solution stores information on a central server before it is presented to the user, which might be preferential during big projects which leverage huge datasets. On the other hand, however, this connection type opens the door to privacy problems, high latency and high running costs.

The other connection option for developers is peer-to-peer. Instead of relaying commands through a “middleman” server, this connection type is made possible with third-party providers to offer a direct connection between the end-user and client. This method only stores user data on the IoT device itself to offer complete user control — with the simultaneous benefits of high security and low latency.

The Security: Tips for Safe Apps

Then, with the app framework and connection decided, comes arguably the fundamental design consideration when developing an IoT app — security. Smart home, health, and surveillance devices all transmit extremely sensitive personal data, and any breaches could be harmful to users and disastrous for the device manufacturer’s reputation. Thus, apps should come locked and loaded with strong security.

Unfortunately, the majority of companion apps do not. Researchers last year found that about half are potentially exploitable through protocol analysis since they use local communication or local broadcast communication, thus providing an attack path to exploit lack of crypto or use of hardcoded encryption keys. Further, this study into companion apps from some of Amazon’s most popular devices found a lack of encryption in one-third of cases and the use of hardcoded keys in one-fifth of cases.

The good news is that secure communication between a device and an app is possible. Smart home device creator EZVIZ shares an encryption key enclosed in the device box in the form of a QR code that must be scanned by the companion app. Meanwhile, German smart heating and cooling provider SOREL successfully uses a peer-to-peer connection to ensure its smartphone app communicates without interference. Moreover, the connection offers the company minimized risk since end users only manage their data on their device.

Security remains a stumbling block for many of today’s apps, so here are three elements for developers as they consider how to develop IoT apps:

1. Audit your chosen IoT AET platform: Inspect the security credentials of your chosen IoT platform provider and check to see evidence of regular penetration tests and security updates.
2. Use two-factor authentication, obfuscation, and encryption: This will help ensure only authorized users can access the IoT app.
3. Use public key infrastructure (PKI) for authentication and encryption: This ensures end-to-end privacy for your users. Nobody but the user will be able to access the collected data.

There are about a million ways to create an app, but designers should keep in mind that only a select few core decisions make or break the finished product.