Securing your Bubble App
In the modern world of digital computing, we’ve been given access to an entire world of data and information at our fingertips and we’ve been given the means to share our own lives with the rest of the world. However, these technologies allow others to violate our privacy and our wishes by stealing our data and using them in ways we would never allow.
For all its technical sophistication and its uniqueness as a no-code development platform, Bubble and apps made on it are still vulnerable to security risks. Thankfully, Bubble has foreseen these issues and allows us developers to take steps to safeguard our apps from unwanted interference. Similarly, they also allow us to provide our users with tools and policies that will allow them to feel more secure while using our Bubble apps.
Before we can move on to securing our Bubble app for its own sake, we should first discuss some legalities. We app developers aren’t just obligated to provide a secure environment for our users, we are also obligated under the laws of several countries to maintain a reasonable standard of security for their citizens’ data.
Your obligations under such laws will vary depending on your userbase and your geographical location. For example, the European Union’s General Data Protection Regulation (GDPR) protects users in the EU as long as they access it from the EU. Said law also obligates software companies to ensure that other companies whose digital services they make use of are also GDPR-compliant.
Thus, if you’re a serious developer who eventually wants to make an expansive app, you should seriously consider doing your research about what kinds of laws protect your target userbases. You should also do some research to see if Bubble is the right tool to provide these protections. For another example, as of the time of writing this, Bubble is not yet compliant with the American Health Insurance Portability and Accountability Act (HIPAA) and thus you shouldn’t use it to build apps that will require HIPAA compliance.
Bubble as a Platform
One big question you might now be asking is how secure is Bubble? With the new knowledge about compliance and laws above, you might also be wondering how compliant Bubble is with certain national regulations on data privacy and security.
First of all, Bubble’s main cluster is hosted on Amazon Web Services in its West Region. AWS themselves are certified as conformant to several American and international security standards. Furthermore, Bubble themselves encrypt all traffic and allow its developers and users to use encryption on their own domains. All passwords are salted and encrypted in their database, along with all user data when not in use.
It should also be noted that like stated above, Bubble is GDPR compliant. They are also certified under Privacy Shield though it is no longer an accepted mechanism for securely transferring data from the US to the EU and vice versa. Instead, Bubble makes use of Standard Contractual Clauses, which are accepted.
They make a point of saying; however, that just because they are compliant does not necessarily mean your app will be. It is still your responsibility as a developer to take measures specifically for your app to make it secure. Bubble does, of course, provide you with the tools and website support to be compliant.
With all this said, Bubble is not a secure choice for all application use cases. Financial apps require high levels of security and compliance with other, stricter regulations which Bubble cannot provide. Similarly, secure messaging apps that can guarantee end-to-end encryption can’t be made on Bubble – they just aren’t planning to match that level of security.
How to secure your app
The very first place where you can work to secure your app is in its design. Certain simple design decisions and principles made at the start of development can save you a lot of headache by ensuring that security features are baked into your app from the very outset.
For example, pay attention to what you show your user when they first log in. Sensitive information displayed on their first redirect after logging in could be seen by potential attackers just by looking over their shoulders.
Another design decision you can make is avoiding the use of popups to deny unauthorized users access to sensitive parts of your webpage. While it is simple to put up, it’s also simple for tech-savvy users to deactivate it from their browser’s developer console. A more reliable option for controlling user access to important parts of your app is by simply using redirects – links that your user will be redirected to on certain conditions.
On the topic of redirects, you should know there are two kinds of redirects – server-side and client-side. Client-side redirects take place on the user’s browser, while server-side is done at the server level. The difference is that client-side redirects load the page for the user before they’re redirected, thus allowing them to peek at the data or contents therein. While you can’t explicitly set which Bubble will use, Bubble always prefers to use server-side redirects. A simple workflow is guaranteed to use a server redirect when needed, but more complex conditions may force Bubble to load the page on the client-side instead of using a server-side redirect.
Another important design decision that should probably be automatic for any developer is to define a password policy. Bubble allows you to define one via the General section of your app’s Settings. Through this setting, you can define requirements for your users’ passwords – length and capital letter, numeral, and non-alphanumeric character requirements.
You should also remember to be very careful with your private API keys. If you need to make an API call using secret keys or tokens be sure you only use them in the API Connector marked as “Private” or in an API Workflow. This way, no one in their browser can see the key or token.
All these security tips are only a few guidelines; however, and not the whole gamut of ways you can safeguard your app and your users’ data. Agencies like Bubblehelpers won’t just help you with more security measures and design techniques, they’ll also help you comply with data privacy regulations like mentioned above. So, go ahead and come to Bubblehelpers for more no-code web development support!