10 Steps for Writing a Secure Mobile App
Best practices to avoid the dangers of developing vulnerability-ridden apps.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt7d60b2250aa0f57e/64f0d80d598d80e83f5a971b/01-Page-1.jpg?width=700&auto=webp&quality=80&disable=upscale)
More than 4 million mobile apps are currently in production, but only 29% on average are tested for bugs, and nearly a third of these contain significant vulnerabilities, according to a recent Ponemon Institute survey.
Enterprises, meanwhile, are expected to accelerate their mobile app development in the coming months, according to a recent Gartner survey. On average, enterprises deployed eight mobile apps from the start of the year, with nearly nine more on tap or planned through June, the survey found.
"Developers are less careful when developing apps for internal use because they want to develop it fast, so it can achieve some purpose," says Vivien Raoul, chief technical officer and co-founder of Pradeo, which recently published the Mobile Application Security Guide.
Whether enterprises are developing mobile apps for internal use or to aid customers in using their service, they face consequences if a mobile app is vulnerable security-wise. In addition, organizations whose apps are for customers stand the risk of getting hit with a civil complaint if the apps aren't up to snuff security-wise.
The Federal Trade Commission, for example, has been slapping companies with civil lawsuits over the way enterprises have handled the security of their mobile app development efforts. Enterprises that have felt the FTC's wrath include Upromise, Credit Karma, and Fandango.
Here are key steps for creating a secure enterprise mobile app:
One of the first steps a developer needs to take before laying down a single string of code is to determine the framework and ecosystem for the mobile app.
Internal requirements, such as the purpose of the app, what will the data have access to, and any user restrictions, are some of the elements that should be considered, Raoul says. General regulation obligations and industry regulation expectations, such as the GDPR, are also important elements for the framework, he adds.
The ecosystem also needs consideration, Raoul says. For example, mobile app developers need to consider whether employees and customers will be using the app over an unsecure Wi-Fi network, Raoul pointed out.
One person on the development team should be tasked with ensuring that security is considered for each phase of the app's development, according to the Federal Trade Commission's (FTC) publication, App Developers: Start with Security.
"While everyone on a team should ideally have basic security training, in the rush to market some developers might be more concerned with whether the app will function properly or how to improve the user experience. Designating a team member primarily responsible for security helps to ensure that security challenges do not fall through the cracks," says Jared Ho, an FTC senior attorney in the Privacy and Identity Protection Division.
Evaluate the type of data that the app needs to function, and restrict data collection only to those areas. For example, a timesheet app would have little need to gain access to an employee's photos.
"The more sensitive information that a business collects, the more information that is at risk of exposure in the event of a security breach. This could have a material impact not only on consumers but also on the reputation of a business," says Ho.
Enterprises should consider classifying apps based on what function they perform and filter the information they retrieve, Pradeo's Raoul suggests. Contact data gleaned by a mobile app may make sense for some departments within an enterprise, but other departments, such as the CEO's office, may need the flexibility of filtering functionality, he adds.
Mobile app platforms need to be researched and configured appropriately, given each mobile operating system uses different APIs, security features, and permissions, according to the FTC.
"Businesses should make their own determination as to whether this guidance applies to the specifics of their internal apps," Ho says.
He notes the FTC's suggestion stems from its cases against Credit Karma and Fandango, in which the agency alleges the companies failed to properly implement SSL encryption.
"The lesson here is that developers should make sure to follow the security guidelines that a platform offers," Ho says.
When enterprises create apps that will be posted to Google Play or the App Store, it's important to create secure credentials. For example, a short password with a string of numbers may be fine for an authentication token, but it may be ineffective for a social networking app, according to the FTC.
"Credentials and passwords are keys to the kingdom. The level of reasonableness in how credentials are secured might vary depending on the type of information being protected," says Ho.
The FTC also advises against storing passwords in plain text on a server. Developers and security teams should instead look to use an iterated cryptographic hash function to hash users' passwords and then verify them against hash values.
Enterprise mobile apps should ideally be communicating with a server that is secure, or with a cloud provider, where the enterprise understands which party is responsible for updating the software and securing the servers, advises the FTC, which published a privacy guide for enterprises.
"We caution that when designing a network, businesses should consider using tools like firewalls to segment their networks, thereby limiting access between computers on a network and between computers and the Internet," Ho says.
Conducting a security test on the mobile app is just as important as testing its functionality and user friendliness, says Raoul. The test will not only look for vulnerabilities and unexpected behaviors in the app, but it will also pit the app's security performance against any required compliance measures.
In its mobile application security guide, Pradeo states the analysis "should control against known and unknown malicious behaviors, the company policy and vulnerabilities exploitation. It should avoid any estimation and provide a precise conclusion on the Application."
Hardening the mobile app is the last stage in the development process and is designed to prevent and mitigate tampering of the data by malicious attackers, Raoul says.
That means communications authentication, reverse-engineering, data-tampering prevention, and enacting lock mode in case data is compromised.
"You want to harden the data so it can't be changed, even if the app is modified," he says.
Hardening the mobile app is the last stage in the development process and is designed to prevent and mitigate tampering of the data by malicious attackers, Raoul says.
That means communications authentication, reverse-engineering, data-tampering prevention, and enacting lock mode in case data is compromised.
"You want to harden the data so it can't be changed, even if the app is modified," he says.
More than 4 million mobile apps are currently in production, but only 29% on average are tested for bugs, and nearly a third of these contain significant vulnerabilities, according to a recent Ponemon Institute survey.
Enterprises, meanwhile, are expected to accelerate their mobile app development in the coming months, according to a recent Gartner survey. On average, enterprises deployed eight mobile apps from the start of the year, with nearly nine more on tap or planned through June, the survey found.
"Developers are less careful when developing apps for internal use because they want to develop it fast, so it can achieve some purpose," says Vivien Raoul, chief technical officer and co-founder of Pradeo, which recently published the Mobile Application Security Guide.
Whether enterprises are developing mobile apps for internal use or to aid customers in using their service, they face consequences if a mobile app is vulnerable security-wise. In addition, organizations whose apps are for customers stand the risk of getting hit with a civil complaint if the apps aren't up to snuff security-wise.
The Federal Trade Commission, for example, has been slapping companies with civil lawsuits over the way enterprises have handled the security of their mobile app development efforts. Enterprises that have felt the FTC's wrath include Upromise, Credit Karma, and Fandango.
Here are key steps for creating a secure enterprise mobile app:
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024