Answering your question regarding mobile development best practices is tricky, given all of the variables. With...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
all applications, including traditional client/server and Web applications, developers have to consider things such as:
What features must be available to the user? This often defines many of the security aspects.
How can rich functionality be balanced with minimal attack surface?
What information is being input and processed? Again, this has big security implications.
Then, of course, there are all the security "best practice" documents such as the OWASP Top 10 Project and SANS Top 25 that cover input validation, user authentication, session management and the like.
In many ways, mobile can be more simplistic because functionality is often limited. That said, when considering additional security measures for mobile devices, you need to be thinking about the following things:
How can information be input into the application? There aren't as many automated tools for fuzzing and injection on mobile as there are for Web applications, but you still need to ensure this information is valid.
How can information be extracted from the application? This is often an afterthought for mobile applications. However, the forensics artifacts that are accessible when connecting to a phone or tablet in device firmware upgrade mode, using tools such as Elcomsoft iOS Forensic Toolkit and Oxygen Forensic Suite, can be very eye-opening.
How is information transmitted? Encrypted transmission is front and center for traditional applications, but it's often overlooked with mobile. I've seen plenty of applications that transmit everything in clear text HTTP.
Where will the information ultimately be transmitted to or stored indefinitely, and how will it be protected? This has security and legal implications -- especially when unsecured mobile devices and third-party cloud applications are involved.
Getting back to the original question, I'd say the single most important application security practice for mobile developers is to see the big picture. Step back and look at how everything will operate and interact to make sure you're covering all your bases. Otherwise, you're putting everything at risk, and that's not a position you want to be in.
Err on the side of protection with mobile applications
Uncovering hidden mobile app security threats
Related Q&A from Kevin Beaver
The WannaCry TCP port 445 exploit returned the spotlight to Microsoft's long-abused networking port. Network security expert Kevin Beaver explains ...continue reading
Enterprise network security expert Kevin Beaver compares and contrasts the roles of an inbound firewall and an outbound firewall. Find out what the ...continue reading
Knowing how to test for security flaws is vital, but it's a complicated and changing field. Expert Kevin Beaver offers security testing basics.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.