Thep Urai - Fotolia
Security should be at the heart of any mobile app development strategy, but with so many potential vulnerabilities, it's often difficult to find a process that targets each one.
Few organizations conduct business these days without the help of mobile apps, many of which store, display or transmit sensitive data. A business app that does not include proper security protections can put corporate resources and personal information at risk, potentially resulting in fines, lawsuits and tarnished reputations. Here are five points of a mobile app security checklist that development teams should use when building business apps for their organizations.
1. Think security from the start
Developers should treat mobile app security as one of the project's top priorities from its inception. All other considerations are built on the premise that security will play a central role throughout each phase of the development process. Consider designating at least one individual to oversee a mobile app security checklist during the development and deployment stages.
By prioritizing security from the start, an app is more likely to avoid security issues later in its lifecycle, when fixes can be costly and resource-intensive. When a team tries to retrofit security into a poorly designed app, it can result in performance issues, disrupted business processes and a degraded user experience.
2. Understand platforms and frameworks
Most mobile apps now run on either Google Android or Apple iOS devices, with relatively few running on Windows devices and fewer still on BlackBerry devices. Organizations often need to build apps that target more than one of these operating systems. Developers should fully understand how security works in each targeted OS and the risks that come with using device features such as the camera or GPS.
Development teams should also research and evaluate any other technologies used to build their apps, including software libraries, application programming interfaces (APIs), software development kits (SDKs) and cross-platform frameworks. Consider whether the technologies have known security issues, how widely they've been implemented and what the development community is saying about them.
What's your mobile app security strategy?
This is the first article of a two-part mobile app security checklist. The second article discusses factors such as back-end systems, third-party services and built-in protections.
3. Implement strong authentication and authorization
One of the most important steps on a mobile app security checklist is to implement strong authentication and authorization mechanisms that take privacy, session management, identity management and device security features into account. The app should also enforce multi-factor authentication, rather than rely on usernames and passwords alone.
When setting up these mechanisms, the team should use proven technologies such as the OAuth 2.0 authorization framework or the OpenID Connect protocol, and it should implement the most current versions. In addition, the team should protect authentication data such as passwords at every stage of the authentication process. If an app handles highly sensitive data, developers should require users to log in for each new session.
4. Ensure secure communications
Business apps routinely communicate with other systems such as back-end servers, cloud-based services or other applications. When completing a mobile app security checklist, make sure that the app protects all sensitive data while in motion, even if all communication takes place inside the corporate firewall. Where appropriate, the app should use technologies such as the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol, and have a process to validate security certificates. The development team should consider certificate pinning, if possible, or another layer of encryption on top of SSL or TLS.
In addition, the development team should secure all APIs that the app uses. The team might also consider such technologies as virtual private networks (VPNs), JSON Web Tokens or platform-specific security features. For example, iOS includes App Transport Security, a feature that forces apps to use Hypertext Transfer Protocol Secure when connecting to back-end services. The team must also ensure that no sensitive data is exposed through push notifications, text messages or other forms of communication.
5. Protect app data on the device
Developers should assume that IT can recover any data written to a device. When possible, they should avoid storing sensitive data on the device. If it's necessary, developers and IT should encrypt it wherever it resides, whether in files, databases or other data stores. Developers should use the latest and most proven encryption technologies available, such as the 256-bit Advanced Encryption Standard symmetric-key algorithm. Developers should also factor encryption key management into the app security strategy.
When the app needs to display sensitive data, developers should mask the data where appropriate, exposing only what is necessary, such as the last four digits of a credit card or Social Security number. The team should protect personal information and factor in industry regulations and standards such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard.