Different mobile platforms have different security characteristics. What's the best way for the mobile developer to deal with this?
For a mobile developer who wants to create secure applications, it's important to understand the security capabilities of the specific development platform or platforms.
In cases like this, organizations typically create separate teams of mobile app developers working on the different platforms. This is because mobile application development environments differ greatly between these popular platforms.
Android applications are typically developed in Java using Google plugins for the Eclipse development environment. IOS applications for the iPhone and iPad are typically developed in the Objective-C language using Apple's Xcode development environment. Java and Objectve-C are very different languages, and Eclipse and Xcode are very different development tools. In addition, Android and iOS have different application programming interfaces (APIs), used by the mobile developer to accomplish different tasks.
By understanding how a given platform behaves from a security standpoint, the mobile developer can make better design and coding decisions.
When it comes to security, there are common themes between iOS and Android, but the platform-specific details are important. At the very least, mobile app developers should acquaint themselves with certain security capabilities, including the following:
- Data storage. How does the platform store data on the device? What data formats are available, such as normal files, SQLite databases and key/value data stores? How is data that is stored on the device protected should the device falls into the hands of a malicious user? How is the data that is stored on the device protected from malicious applications on the device?
- Network communication. How does the platform allow applications to communicate securely over the network? What are the platform-specific settings that need to be used to enforce restrictions such as proper Secure Sockets Layer (SSL) server certificate authentication? What are the platform-specific ways in which misconfigured communications can degrade security or pose risks?
- Cryptographic services. What capabilities does the platform provide to utilize both platform-specific cryptographic services and industry-standard cryptographic routines? How are keys stored and managed? How do the key storage and management facilities behave in situations where the device might fall into malicious hands -- or where a nonmalicious user might jailbreak or root the device?
By understanding how a given platform behaves from a security standpoint, the mobile developer can make better design and coding decisions. In addition, it's also important to understand how, and under what circumstances, the platform-provided security facilities degrade and fail.
There are a number of resources available to help developers learn about these topics. For example:
- Apple provides guidance on security concepts (and provides the Secure Coding Guide;
- Google provides a forum for Android developers to discuss security topics; and
- Denim Group provides the Secure Mobile Development Reference, which consolidates a lot of platform-specific information for mobile app developers and provides links to additional resources.
This was first published in April 2013