Answer

A guide to platform-specific security for the mobile developer

Different mobile platforms have different security characteristics. What's the best way for the mobile developer to deal with this?

    Requires Free Membership to View

For a mobile developer who wants to create secure applications, it's important to understand the security capabilities of the specific development platform or platforms.

Dan Cornell

Some organizations have adopted a "write once, run anywhere" approach to building mobile applications using HTML5 and JavaScript, which enables the mobile developer to deploy the same application on different clients, such as those running Apple iOS or Google's Android operating system. But many organizations remain committed to developing native versions of mobile applications for popular platforms, and this is where understanding the security capabilities of each of those platforms comes in.

In cases like this, organizations typically create separate teams of mobile app developers working on the different platforms. This is because mobile application development environments differ greatly between these popular platforms.

Android applications are typically developed in Java using Google plugins for the Eclipse development environment. IOS applications for the iPhone and iPad are typically developed in the Objective-C language using Apple's Xcode development environment. Java and Objectve-C are very different languages, and Eclipse and Xcode are very different development tools. In addition, Android and iOS have different application programming interfaces (APIs), used by the mobile developer to accomplish different tasks.

By understanding how a given platform behaves from a security standpoint, the mobile developer can make better design and coding decisions.

When it comes to security, there are common themes between iOS and Android, but the platform-specific details are important. At the very least, mobile app developers should acquaint themselves with certain security capabilities, including the following:

  • Data storage. How does the platform store data on the device? What data formats are available, such as normal files, SQLite databases and key/value data stores? How is data that is stored on the device protected should the device falls into the hands of a malicious user? How is the data that is stored on the device protected from malicious applications on the device?
  • Network communication. How does the platform allow applications to communicate securely over the network? What are the platform-specific settings that need to be used to enforce restrictions such as proper Secure Sockets Layer (SSL) server certificate authentication? What are the platform-specific ways in which misconfigured communications can degrade security or pose risks?
  • Cryptographic services. What capabilities does the platform provide to utilize both platform-specific cryptographic services and industry-standard cryptographic routines? How are keys stored and managed? How do the key storage and management facilities behave in situations where the device might fall into malicious hands -- or where a nonmalicious user might jailbreak or root the device?

By understanding how a given platform behaves from a security standpoint, the mobile  developer can make better design and coding decisions. In addition, it's also important to understand how, and under what circumstances, the platform-provided security facilities degrade and fail.

There are a number of resources available to help developers learn about these topics. For example:

Let us know what you think and follow us on Twitter @SoftwareTestTT.

This was first published in April 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: