5 tips for secure mobile apps
Building a mobile application that meets requirements on all platforms can be a daunting task. Besides design, coding and testing, apps that store proprietary or confidential information need to be immune to leaks and hacking, especially those used by government organizations.
It isn’t easy to make apps that are completely secure. Andrew Hoog, from the security consulting firm viaForensics, last year summarized some of the challenges in an interview with Security Bistro. But that doesn’t mean it can’t be done. Developers just need to address security during the process. From Hoog and other sources, here are five tips on ensuring app security.
1. Don’t rely solely on the innate security of the device or platform.
Hoog said that because the memory of a mobile device holds on to information much longer than a desktop or server in order to save on read/write resources, its data is almost always recoverable, and therefore more vulnerable to attack.
2. Ask the OS for only for the permissions needed.
Michael Price, at Slashdot/Business Intelligence, points out that an app that has blanket permissions might do something unexpected and affect areas of the device that were not intended by the developer. Being conservative with requesting permissions is not only a good way to keep an app’s data secure, but is also a good way to test for unwarranted behavior from the app.
3. Use the HTTPS layer for all Web service connections.
Motorola has a users group for app developers using the Rhomobile suite of tools. Although members specifically discuss programming on the Rhodes framework, they bring up some basic concepts that are true for any platform or device, including using the HTTPS layer ( the “S” indicates the use of Secure Sockets Layer encryption) instead of the regular unsecured HTTP. Back when connection speeds were slow and bandwidth was at a super-premium, the best practice was to use HTTPS only when absolutely necessary, to avoid slowing things down. But now, the user would hardly know the difference if HTTPS was used for nearly everything.
4. Design a centralized logging handler.
The folks at Symantec say that security can be increased considerably with consistent logging of the application layer. Without being consistent in this area, it is more difficult to identify problems such as SQL injection attacks. They suggest designing a centralized logging handler for use with apps. As long as developers add specific methods to handle specific security events, the data stored by the logging handler should be descriptive enough for analysis to determine if an event was part of a hacking attempt.
5. Haunt the developer forums.
Of course, information changes all the time, and the best way to keep up to date on security issues is to go to the developer forums. There is an open discussion group for Android, Apple has its Developer Forum, and the BlackBerry Developers Forum has a lot of information on the various platforms.
One of the things keeping many government agencies from diving faster into a BYOD strategy is app security. Off-the-shelf apps might not meet an organization’s needs, so agencies are looking at developing apps in-house. Keeping security a top consideration at every stage of development could help allay some of those concerns.