8 security questions to ask before building mobile apps

Enterprise organizations are rushing to build iPhone, iPad, Android and BlackBerry applications to deepen their customer experiences and extend the ways their customers can purchase from them.

The demand for these applications is driving development at a rapid pace. Unfortunately, the risks associated with mobile applications are different from typical enterprise software. Also, security is rarely a project driver in the mobile software world.

Also see: Malware exploding, especially on mobile devices

Business line managers need to make sure that marketing and IT managers who are building mobile applications are protecting of customer data and not inadvertently opening up unexpected security holes for outside attackers. Here are eight questions to ask them before proceeding.

1. How does the risk of software on mobile devices differ from that of enterprise software?

The very definition of mobile software is that it exists on a device outside your enterprise environment on the handset or tablet of an outside person, perhaps a customer. You can assume that the device will be jail broken and your source code reverse engineered. In addition, you will have little -- if any -- indication that someone is tinkering with your mobile application. Much of the attack prevention and detection will instead have to be based on examining how the mobile device interacts with internal servers.

2. How do these mobile applications interact with our internal servers?

Much of the media focus on mobile security is centered on the security of the device. In reality, most of risk may exist where the mobile device interacts with externally-facing servers. An organizations threat modeling and testing should reflect that reality. If the device can be jailbroken and the code reverse engineered, an attacker with modest skills can identify the target server that receives inbound requests from you mobile devices. At that point, the server has to be able to withstand the variety of application and network attacks.

3. Do we have the internal skill set to manage this risk?

Given the explosion of demand for iPhone, iPad, Android, and Blackberry applications, software developers with even modest experience are in high demand by enterprise leaders. Make a concerted effort to quantify your internal skillsets in mobile development or move quickly to pull in the small but growing community of mobile software security experts to help you lock down your mobile applications.

4. Are mobile code developers more or less likely than other developers to understand security concepts?

Unfortunately, for many the answer is "less," but certain high profile mobile code issues might be changing this. Much of the talent in this emerging market comes either from the interactive and creative world, the closed-system device development world. Neither are used to building "rugged" enterprise software that will withstand the rigors of Internet attacks. Furthermore, developers' unfamiliarity of mobile environments can lead to mistakes with security implications.

5. Are we certain that confidential client information will not remain on a device after a session is finished?

Software developers should write code that does not allow private data to persist after a customer has finished browsing session given the vulnerable nature mobile devices. Also, an organization must keep up on whether certain browsers or operating systems circumvent these controls. Keeping an eye on mobile browser and OS weaknesses is a must.

6. What processes are in place to respond should there be a loss of customer data or breach associated with a mobile application?

Incident responses processes that exist for the enterprise should be mapped to the mobile world, including both internal and external players. Benchmark against others and consider conducting an exercise based on the loss of customer data. Those that have done so have been surprised at who interacts with mobile development in the enterprise. Are you prepared to pull the plug on mobile phones when a particularly nasty vulnerability comes to light?

7. What organization (enterprise, device provider, mobile OS provider) is responsible for security?

Given that there are several key architectural dependencies, if a breach occurs who is responsible for what aspect of the environment, be it device, OS, or application? Understanding this ecosystem will help you manage a security incident with a mobile application.

8. What development approaches are in place to build more secure mobile applications?

Has the development approach for mobile applications changed, given the inherent weakness of the mobile environment? What coding standards do you have for mobile code? How are these standards enforced? Are they checked frequently? Are they only checked for only certain high profile releases? Cutting-edge mobile development projects must be brought in-line with organizational standards for developing secure software and these standards must be augmented to reflect more complicated threat models associated with mobile applications.

Savvy security managers are well served to ask these questions earlier than later in the process of building mobile applications. Mobile applications are here to stay, and organizations that quickly define mobile security strategies enable business units to capitalize on the opportunity that mobile software represents.

Join the CSO newsletter!

Error: Please check your email address.

Tags telecommunicationapplicationssecurityPhonesPhone applicationssoftwaremobile

More about BlackBerryetwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Dickson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place