Security is a crucial component of any mobile app development strategy -- but with a myriad of security considerations, it's often difficult to get started.
Part one of this mobile app development security checklist discussed the importance of having a security-first strategy from the start, as well as implementing strong authentication, authorization and communications throughout the process. In part two, learn other important mobile app security best practices.
6. Build protections into the app
When developers focus on mobile app development security best practices, they should consider such strategies as code obfuscation, binary hardening, app code encryption and API encryption. If the app will accept data from external sources, the code should include input validation capabilities to avoid exploits such as code injection. The app should also implement session timeouts and avoid using non-Secure Sockets Layer or non-TLS links to outside services.
What's your mobile app security strategy?
This is the second article of a two-part series on mobile app security. The first article discusses factors such as authentication, communications and data on mobile devices.
Since app development technologies evolve quickly, developers must stay abreast of those changes to ensure that they're using the most secure tools and writing code based on the latest best practices.
7. Secure back-end systems
Most business apps connect to at least one back-end system, which can potentially expose those systems to new vulnerabilities. IT pros should evaluate all back-end systems that support mobile apps for possible risks, and should pay close attention to the APIs supporting app connectivity.
IT pros should base resource access on the principles of least privilege so that authorized accounts can access only the resources they need and nothing else.
Mobile app development challenges and how the cloud helps
Organizations should use security technologies to ensure end-to-end protection of back-end systems. For example, IT might use virtual private networks or containerization to provide additional levels of security. The goal is to protect all the components, including file and application servers, network connections, database management systems and other data stores.
IT pros should encrypt data even if it resides behind a corporate firewall.
8. Use caution with third-party services
An organization that plans to use outside services must fully vet the provider to ensure that those services can meet the organization's security requirements. To comply with mobile app development security best practices, the IT team should know how the third party secures data and ensures privacy, keeping in mind applicable regulatory requirements.
Developers must also fully protect any APIs that facilitate connectivity between the app and services, ensuring that those APIs don't permit unnecessary access to parts of the app. The IT team should have a clear understanding of what level of control it has over the provider's services, when and how the third party applies security patches, and other security-related factors.
9. Test, review and verify
Like any application, developers and IT pros must fully test a mobile app for security vulnerabilities before they deploy the app. The quality assurance team should perform dynamic and static tests that look for risks such as buffer overflows, string formatting issues and other code-level vulnerabilities. The team should also use penetration testing to search for issues related to authentication, authorization, session management and data security.
In addition, the development team should have a peer review process that looks for security flaws in the code. The team might also consider source code scanning to help identify common issues and risks. If privacy standards such as HIPAA are a consideration, the testing and review processes must also take these standards into account. In some cases, a team might benefit from consulting with a security specialist who has expertise in mobile business apps.
10. Think security to the end
Mobile app development security best practices don't end as soon as IT pros deploy the application. Technologies change, new vulnerabilities emerge and miscalculations are exposed. No matter how attentive a team is to security when they develop an app, IT pros must continue to use due diligence to ensure that the app remains secure and to address security issues as soon as they arise.
The team should apply security patches and updates to the app and supporting systems in a timely manner, including software libraries, operating systems and storage firmware. Administrators should also enforce security policies by requiring users to change their initial passwords upon the first login. In addition, they should regularly monitor the apps and supporting systems for security issues and potential risks.
The key to ensuring an app's security over its lifespan is to use mobile app development security best practices from beginning to end.