Mobile devices and the apps that run on them demand high levels of security. The devices themselves are easy to lose and steal, and are widely used for activities that involve sensitive data. What's more, organizations that build mobile apps -- even those with effective enterprise mobility policies in place -- cannot fully control the devices they run on. All this has huge implications for mobile app security. In this article, two experts offer advice to developers and testers engaged in mobile projects.
Don't allow the app to save passwords. With mobile apps, developers seek to strike a balance between protecting sensitive data and providing better usability, said Brian Shura, president of App Security Consulting in San Jose, CA. But effective mobile app security strategies demand that you err on the side of protection, he said. Even though keyboard and screen size constrain the usability of mobile devices, apps that run on these devices should require users to enter their passwords every time they log on. From the get-go, the app should be designed in such a way that it cannot store passwords, said Shura. With desktop apps, allowing users to save passwords to speed up future log-ins is reasonable. In mobile apps, it's not.
Encrypt data in transit. This seems obvious, said Frank Kim, founder of application security consultancy ThinkSec. But in the process of conducting security audits, Kim has seen his share of mobile apps that overlook this simple step. "In the rush to deliver mobile apps, developers are making a lot of the same mistakes they made with early Web apps."
Conduct source code reviews. Source code scanners, available from open source projects and commercial toolmakers, are a key component of mobile app security projects (as well as other development projects), said Shura. These tools scan apps to find code that is vulnerable to SQL injection and other attacks and suggest fixes to make code more secure. For the iPhone operating system (iOS), you are typically scanning Objective-C code; for the Android operating system, it's Java, said Shura. If you have engaged an outside firm to security-test your app, keep in mind that you have to supply source code in order for the firm to address this particular aspect of mobile app security, said Shura. If you don't, security testing can still be done, but it involves reverse engineering the app and doing black box testing, also known as dynamic testing.
"Listen" to the traffic that flows between the mobile app and Web server. Also valuable for mobile app security are tools that let you view Web traffic, said Shura. "Manually analyze the traffic and look for method calls that could be manipulated."
Store as little data as possible on the mobile device. "Think of your mobile app as a low-trust environment," said Kim, curriculum lead for application security at security training organization The SANS Institute. "Ask yourself: 'Does the app really need data there?'" Often, you will find that it doesn't, he said. Again, you are striking a balance between usability and security, erring on the side of security.
Contain sensitive corporate data. Container techniques can help ensure mobile app security by downloading sensitive corporate data into a separate container in the mobile app, said Kim. That way, the app treats corporate as more sensitive than other data, such as pictures of your kids, he said.