Answering your question regarding mobile development best practices is tricky, given all of the variables. With...
all applications, including traditional client/server and Web applications, developers have to consider things such as:
What features must be available to the user? This often defines many of the security aspects.
How can rich functionality be balanced with minimal attack surface?
What information is being input and processed? Again, this has big security implications.
Then, of course, there are all the security "best practice" documents such as the OWASP Top 10 Project and SANS Top 25 that cover input validation, user authentication, session management and the like.
In many ways, mobile can be more simplistic because functionality is often limited. That said, when considering additional security measures for mobile devices, you need to be thinking about the following things:
How can information be input into the application? There aren't as many automated tools for fuzzing and injection on mobile as there are for Web applications, but you still need to ensure this information is valid.
How can information be extracted from the application? This is often an afterthought for mobile applications. However, the forensics artifacts that are accessible when connecting to a phone or tablet in device firmware upgrade mode, using tools such as Elcomsoft iOS Forensic Toolkit and Oxygen Forensic Suite, can be very eye-opening.
How is information transmitted? Encrypted transmission is front and center for traditional applications, but it's often overlooked with mobile. I've seen plenty of applications that transmit everything in clear text HTTP.
Where will the information ultimately be transmitted to or stored indefinitely, and how will it be protected? This has security and legal implications -- especially when unsecured mobile devices and third-party cloud applications are involved.
Getting back to the original question, I'd say the single most important application security practice for mobile developers is to see the big picture. Step back and look at how everything will operate and interact to make sure you're covering all your bases. Otherwise, you're putting everything at risk, and that's not a position you want to be in.
Err on the side of protection with mobile applications
Uncovering hidden mobile app security threats
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.