As a football star, Laremy Tunsil is an unlikely poster boy for cyber security in the world of pro hockey.
Tunsil was the top ranked pick in April’s National Football League draft. Then, he got brutally tackled on Twitter.
Moments before the draft started, a video of Tunsil allegedly using a marijuana bong was posted on his Twitter account. Although the clip mysteriously disappeared a few minutes later, Tunsil’s draft day dreams went up in smoke: he slid from the top spot, eventually being selected thirteenth overall by the Miami Dolphins.
The hack attack reportedly cost the offensive lineman millions of dollars in potential salary, bonus and endorsement money.
The incident illustrates why security was top of mind when the National Hockey League Players’ Association created its mobile app, said Stephen Frank, director of technology and security at the NHLPA.
“NHL players are high net worth individuals who are primary targets of various cyber attacks,” Frank said during a presentation at the Enterprise Mobility Summit in Toronto on Tuesday.
As the union representing NHL players during the league’s $4 billion collective bargaining process, the NHLPA takes safeguarding player data very seriously, he said. According to the NHLPA’s website, its business affairs unit also oversees consumer product licensing, sponsorships, charitable and community relations, marketing ventures and digital and media properties for the players’ union and its members.
The NHLPA was the first of the four major pro sports leagues in North America to release its own mobile app in 2011. But Frank said that third-party app “for the most part, constituted a flow of information that was only one way” from the union to its members.
To create something more interactive that also had greater functionality, the union set out to develop its own app in-house. Along with co-presenter Andrew Hyslop, the NHLPA’S manager of digital solutions and development, Frank explained at Tuesday’s event how security was front and centre during every part of the game plan.
“I like to call this case study ‘From the Locker Room to the Board Room’,” Frank quipped at the Toronto conference.
Here are some top mobile security tips taken from the NHLPA’s app development playbook.
Bake it in
Factor security into the equation right at the beginning of your app development process “whether you do it yourself or go through a third party,” Frank suggested. “It’s easier than getting a vendor to modify the security of their app during the review process or after the fact.”
Minimize risk exposure
Frank, Hyslop and their development team chose not to distribute the app through a public app storefront.
“That was a big one for security. The last thing we wanted was to make it publicly available. We limited our exposure through a limited ad hoc enterprise deployment … It mitigates the risk,” said Frank.
The NHLPA hosts the app and related files on its servers; players and agents must go through an authentication process to download the app. This limited distribution process was made easier by the fact that, unlike a consumer or B2B app, the NHLPA’s mobile app has a relatively small, niche user base of NHL players (both current and retired) and agents.
Layer your security
The NHLPA embedded various layers of security into its app. For example, it restricted the number of devices that can activate the app from a single user account. The app also forces users to authenticate their identity again if their session automatically times out after a period of inactivity, similar to the security timeout feature in most online banking sessions.
In addition, access privileges for the app are based on roles or membership levels within the NHLPA. Frank said the organization can monitor the app to see which users access it, how they use it and where they’re located so that “any anomalous behaviour is red-flagged.” Plus, NHLPA has the ability to geo-block access to the app and its contents from any location at any time.
The NHLPA’s new app debuted for iOS and Adnroid about 18 months ago. It’s fully integrated with the association’s existing website and is used by 1,200 players and 180 agents, about 80 per cent of its total potential user base. Although NHLPA members can’t use the app as a bargaining tool during actual contract negotiations, it keeps them up to date on union and league news such as trades, deadlines, compensation levels and the contract status of each player.
The new app is more interactive than its third-party predecessor; a built-in survey engine allows the NHLPA to gauge “the pulse and barometer of players for any collective bargaining issue or NHL related issue,” according to Frank.
Through the app, players can also access any photos taken during NHLPA meetings or events and use them for their own corporate, charitable and promotional purposes.