This content is part of the Essential Guide: Essential guide to mobile application platforms
Manage Learn to apply best practices and optimize your operations.

What are mobile development best practices for app security?

What is the single most important application security best practice for mobile developers? Security expert Kevin Beaver provides an answer.

Answering your question regarding mobile development best practices is tricky, given all of the variables. With all applications, including traditional client/server and Web applications, developers have to consider things such as:

What features must be available to the user? This often defines many of the security aspects.

How can rich functionality be balanced with minimal attack surface?

What information is being input and processed? Again, this has big security implications.

Then, of course, there are all the security "best practice" documents such as the OWASP Top 10 Project and SANS Top 25 that cover input validation, user authentication, session management and the like.

In many ways, mobile can be more simplistic because functionality is often limited. That said, when considering additional security measures for mobile devices, you need to be thinking about the following things:

How can information be input into the application? There aren't as many automated tools for fuzzing and injection on mobile as there are for Web applications, but you still need to ensure this information is valid.

How can information be extracted from the application? This is often an afterthought for mobile applications. However, the forensics artifacts that are accessible when connecting to a phone or tablet in device firmware upgrade mode, using tools such as Elcomsoft iOS Forensic Toolkit and Oxygen Forensic Suite, can be very eye-opening.

How is information transmitted? Encrypted transmission is front and center for traditional applications, but it's often overlooked with mobile. I've seen plenty of applications that transmit everything in clear text HTTP.

Where will the information ultimately be transmitted to or stored indefinitely, and how will it be protected? This has security and legal implications -- especially when unsecured mobile devices and third-party cloud applications are involved.

Getting back to the original question, I'd say the single most important application security practice for mobile developers is to see the big picture. Step back and look at how everything will operate and interact to make sure you're covering all your bases. Otherwise, you're putting everything at risk, and that's not a position you want to be in.

Next Steps

Err on the side of protection with mobile applications

Uncovering hidden mobile app security threats

Dig Deeper on Topics Archive

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think are the most important application security best practices for mobile developers?
Thanks Kevin. I've been on both sides - consumer and developer - and can attest that the last thing I was thinking about with my Whiffle Ball app (ok, it's a game), was where the data would go once we collected it, how we'd keep it safe, and what methods would be used to keep transmitted info safe. I think a lot of developers are not seeing the big picture as their goal is to make an app that does what THEY want it to do, not what is safe for consumers or the enterprise. Scary stuff, but worth understanding.