Mobile Applications Security - It is Important Business
Rise in popularity of mobile apps, among other things, means that businesses are rushing to develop their apps. Unfortunately, it can mean that security comes only as an afterthought, even though badly designed mobile app can expose your server, your network and your business. Phone security is divided into four separate sections called the Security Stack. Here we will focus on the topmost layer Ė the Application Layer Ė since this is one developers deal with most often. Other members of the Security Stack - Infrastructure Layer (network of mobile connections managed by mobile carriers), Hardware Layer (mobile phone in your hands), and Operating System Layer (OS that makes your phone run) are beyond the limits of this post.
Application Layer contains all the programs that users can interact with, including one that you are going to create / commission / design. It is within this layer, that issues such as bad data usage and storage, poor cryptographic algorithms, buffer overflows appear both while the program runs ďby itself,Ē and when it communicates or work with other applications.
Mobile app vulnerabilities involve errors in design and implementation. These errors subject users to interception and information retrieval by attackers, and provide an opportunity for information leaks from the device to unauthorized access. Since business mobile applications often connect to a company server, work with corporate database, exchange data with corporate web site, mobile app vulnerabilities can compromise these elements of the corporate IT infrastructure and loss of data. Most often these vulnerabilities are caused by:
- Inadvertent or side channel data leakage
- Poor data storage
- Unsafe data transmission
There is no checklist for securing all types of business mobile applications. Generally speaking, simple apps that do not interact with other apps and/or web services are inherently more secure than an application that requires user log into a corporate network and exchange data with a database. For better or for worse, it is the latter type of applications that are often needed for business. In practical terms it means that developers working on these mobile apps must be familiar with the best practices and be apt to securing software, securing transmissions of data and securing servers.
The FTC expects app developers to adopt and maintain reasonable data security practices and doesnít prescribe a one-size-fits-all approach. This brochure offers a starting point to help you provide a secure experience for your users. If applied thoughtfully and consistently, these tips can help protect you, your users, and the reputation of your app.
Few things you might want to consider while thinking of mobile application development or talking to a developer:
- One item often escapes developerís attention, so here weíll start with it: if your mobile app uses corporate server, take appropriate security measures to protect connection and server. If the app relies on a commercial cloud provider, make sure you maintain best practices connecting to it. Find out who is responsible for updating software and applying security patches on the server.
- Commercial and open source/free software libraries and toolkits provide a head start in the development process. However, do you know what is in these libraries and what is their security track record? Do your research before employing third-party library.
- Mobile devices offer great technologies including cameras, sensors, GPS, Wi-Fi receivers, etc. For every application you need to balance desire to use these features and risks associated with them. Practice data minimization: Donít collect or keep data and donít engage technologies you donít need. Even when collecting data, donít keep it on the device longer than you need to. When saving data on the device, you might want to encrypt it. If your app deals certain classes of data such as health, finances, childrenís data you must comply with much more rigorous government rules and regulations.
- Anticipating potential security glitches is significantly less expensive, than dealing with the consequences of a breach, both in terms of money and time.
- Mobile platforms handle security in their own way. Adapt your code to the platform you are using, but donít rely solely on built-in features to protect the app.
- When generating and/or transmitting and/or storing credentials, do it securely.