Q

A guide to platform-specific security for the mobile developer

It's essential for the mobile developer to understand the security features of the different mobile operating systems. Dan Cornell explains the basics.

Different mobile platforms have different security characteristics. What's the best way for the mobile developer to deal with this?

For a mobile developer who wants to create secure applications, it's important to understand the security capabilities of the specific development platform or platforms.

Dan CornellDan Cornell

Some organizations have adopted a "write once, run anywhere" approach to building mobile applications using HTML5 and JavaScript, which enables the mobile developer to deploy the same application on different clients, such as those running Apple iOS or Google's Android operating system. But many organizations remain committed to developing native versions of mobile applications for popular platforms, and this is where understanding the security capabilities of each of those platforms comes in.

In cases like this, organizations typically create separate teams of mobile app developers working on the different platforms. This is because mobile application development environments differ greatly between these popular platforms.

Android applications are typically developed in Java using Google plugins for the Eclipse development environment. IOS applications for the iPhone and iPad are typically developed in the Objective-C language using Apple's Xcode development environment. Java and Objectve-C are very different languages, and Eclipse and Xcode are very different development tools. In addition, Android and iOS have different application programming interfaces (APIs), used by the mobile developer to accomplish different tasks.

By understanding how a given platform behaves from a security standpoint, the mobile developer can make better design and coding decisions.

When it comes to security, there are common themes between iOS and Android, but the platform-specific details are important. At the very least, mobile app developers should acquaint themselves with certain security capabilities, including the following:

  • Data storage. How does the platform store data on the device? What data formats are available, such as normal files, SQLite databases and key/value data stores? How is data that is stored on the device protected should the device falls into the hands of a malicious user? How is the data that is stored on the device protected from malicious applications on the device?
  • Network communication. How does the platform allow applications to communicate securely over the network? What are the platform-specific settings that need to be used to enforce restrictions such as proper Secure Sockets Layer (SSL) server certificate authentication? What are the platform-specific ways in which misconfigured communications can degrade security or pose risks?
  • Cryptographic services. What capabilities does the platform provide to utilize both platform-specific cryptographic services and industry-standard cryptographic routines? How are keys stored and managed? How do the key storage and management facilities behave in situations where the device might fall into malicious hands -- or where a nonmalicious user might jailbreak or root the device?

By understanding how a given platform behaves from a security standpoint, the mobile  developer can make better design and coding decisions. In addition, it's also important to understand how, and under what circumstances, the platform-provided security facilities degrade and fail.

There are a number of resources available to help developers learn about these topics. For example:

Let us know what you think and follow us on Twitter @SoftwareTestTT.

This was first published in April 2013

Dig deeper on Software Development Fundamentals

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close