There is no single set of best practices for securing all applications. There are general ideas that you should consider, but how you implement those ideas will depend on the coding language you employ, the platform/s your app will run on, where you are hosting the app, the type of data your app collects, and how it uses and manipulates that data.
Basic risk management tells us that any app that collects monetizable data is also an app that will be targeted by criminals. You will need to pay careful attention to how you secure collected data at capture, at rest, and in transit. The app’s code needs to be clean; the servers that house it and its data must be secure.
Fundamental Security Practices
Protecting Data At Rest, In Transit, and Client-Side