How do security practices for mobile apps differ from those for Web applications?
I posed this question to Jeffery Payne, CEO of software consultancy Coveros, and Dan Cornell, a principal of Denim Group Ltd., a security consultancy, in San Antonio, Texas. Both security experts emphasized that in the broadest sense, security rules that pertain to Web applications also apply for mobile apps development projects.
From threat modeling, to source code analysis and penetration testing, software teams should take steps to secure applications throughout the lifecycle, including planning, coding, testing and deployment, Payne and Cornell said.
But they also noted some key ways in which mobile applications introduce new security challenges. Here's what each of our application security experts said.
Jeffery Payne: When it comes to security, software is software is software, and all of the usual rules apply. The key thing that changes with mobile applications is the way we use them. These apps run on smartphones that fit in our pockets, and we walk around with them all the time. Our phones are easy to lose and easy to steal, and that's where the biggest security risk lies.
Developers need to think carefully about how a mobile app stores data.
That said, developers need to think carefully about how a mobile app stores data, so it's not easily accessible to anyone who picks up a smartphone left lying around. Best practices include encrypting sensitive data -- credit card numbers, customer information and social security numbers. It's easy enough to do that, but mobile apps force developers to think about security in the context of mobile device usability; screens are small, keyboards are constrained and users are often working on the run. The more we lock down security, the harder it is to use the mobile app. Developers working on Web apps didn't have to pay much attention to that issue.
Another option is storing data in the random access memory [RAM], where it's easily accessible to the application but hidden from view. In this case, it's crucial to make sure the application automatically clears data from RAM -- in cases where it closes inelegantly.
Dan Cornell: The most important security step software teams can take with mobile apps is to conduct a group exercise where members map out the components of the mobile application, creating a visual depiction of all the systems and databases with which the mobile application is interacting. The visual approach is highly effective, because it lets developers and testers know how data flows through the application and at which points it must secured.
An added benefit of this exercise is that it accurately conveys the complexity of enterprise mobile applications, which helps team members get past the prevalent idea that mobile apps are small and simple. That may have been true for the first generation of mobile apps, which typically carried out one simple task and didn't access data from enterprise applications. But the mobile applications under development today are nontrivial. The diagram approach also allows the team to consider where the mobile application should store data. Talking through the risks and benefits of each option in the planning stage is important, because making architectural changes after the app is done is time consuming and expensive.
This was first published in April 2013