5 tips on developing secure mobile applications
The secret of developing secure mobile (or any for that matter) applications can be summarised in 5 steps – these do not require a huge amount of skill to implement, nor are they anything other than common sense. We accept that the better an individual developer’s skills and security awareness, better the quality of their output in terms of raw code. The rules below can be applied to any project, and teams of any skill – the result will be the same – implement the rules effectively, and you will vastly improve the final security model of system you are developing.
1) Be clear and specific about the security objectives
This means understanding what business functions the application is going to perform, the sensitivity and criticality of the data the application will access or manage. For example an application likely to contain identifiable medial data would logically have a high emphasis placed on confidentially, an application remotely monitoring a patient’s heart beat will need to have an enfaces on availability and the integrity of the data. Similarly an application that processes payments may have a high requirement of all three, confidentiality, integrity and availably. Security objectives need to be defined and mandated by senior stakeholders and or organisational risk owners, and should never be left to the discretion of the developers.
2) Perform early stage threat modelling
Application, inputs and outputs have to work under an assigned trust model. As the level of trust increases, so the associated security controls must account for this. Modelling an application data flow diagram, and then applying trust boundaries over the top of this will clearly demarcate all of the areas the authentication and authorisation model needs to be effectively implemented. Understanding where the issues may occur goes a very long way in helping to avoiding them.
3) Documentation – Secure coding guidelines
It is very important to document coding standards and guidelines to integrate the information defined in steps 1 and 2 into them. Coding standards not only define what is expected of the development team, but also serve as a resource to and checklist when it comes to the security architecture of the application.
4) Frequent code review and access to security expertise
Both peer review and third party review of the code is advisable as well as having access to the relevant security expertise and training for the developers.
5) thorough end to end penetration testing of the solution.
If steps 1-4 have been followed effectively, the final penetration test against the application will validate the security of the application, and the system can then go live, on time and on budget. Where security has not been effectively thought through during the development lifecycle, it is our experience that security flaws will be identified, requiring further development and testing, putting a strain on both budgets and deadlines.
JUMPSEC have helped hundreds of organisations embed effective security into their development lifecycle – for more information please get in touch.