We all know that security is important. In mobile application development, breaches are costly both financially and in terms of the trust of consumers and employees.
There are many studies that illustrate the challenge and cost of security flaws:
- According to data from Arxan Technologies, 100 percent of the top 100 paid apps on Google Play have malicious variants. The same is true of 92 percent of the top 100 paid iOS apps.
- The average cost of a data breach is $3.5 million from lawsuits, loss of customer trust and damage to brand. The excellent IBM X-force Threat Intelligence report describes this another way: each lost record costs $136.
- Fixing bugs in production is around 30 times more expensive than fixing them in development.
What can we do about this? The goal of mobile development is to get faster, to become more iterative and to increase agility, while maintaining or even reducing costs.
Here is the good news. While mobile development remains a fairly new area, still growing in maturity, there are already some well-established practices that can be applied to mobile to build security into your mobile solution from the start.
1. Automate application scanning
The key to maintaining rapid development cycles is to automate the scanning of the mobile application as part of development builds. That way security testing isn’t left to the end of the development phase but is integral to the iterative development and testing cycle. This increases the speed of development, reduces the cost of fixing issues and improves the security testing coverage.
Scanning tools, such as IBM Security AppScan Source, provide great coverage of security issues, such as the Open Web Application Security Project, OWASP. Importantly, these tools are also maintained and kept up to date with new security issues on a regular basis. It isn’t left to the developer to become an expert in each and every vulnerability as they are discovered.
2. Use proven architectures
All engaging mobile applications need to have access to real data and perform real transactions. This requires secure integration to cloud and on-premises systems. The top OWASP mobile risk is defined as “weak server-side controls.” This is a collection of the well-known web application security issues.
How do we provide secure access to this data? There is already a well-known deployment pattern, and we can use a lot of the learning that we have obtained over recent years with application servers and other middleware.
Don’t build a custom mobile gateway. Consider the security requirements for your solution, and use existing middleware that is hardened and proven.
- IBM MobileFirst Platform and IBM Bluemix server code provide authorized access to data and server-side business logic.
- IBM Security Access Manager for Mobile provides enterprise access management, single sign-on and risk-based authorization.
- IBM DataPower provides transport-level security for XML and JSON-level threat protection.
One of the benefits that mobile has over traditional web security is that it can provide additional context to the request for data. We know what network, what location, whether the device is compromised (using IBM Security Trusteer Mobile SDK) and so on. This can provide input into our authorization decision by determining a risk factor. All this provides a great assurance of a secure infrastructure.
3. Encrypt sensitive data
It is also important to consider the security of the data. Gone are the days when security remains safe and secure behind enterprise firewalls. Data is going mobile, and it needs to be handled accordingly. Combine that with the fact that the mobile device and the mobile application can be compromised, and you can see how important it is to make sure that the data remains secure.
Only store the data you absolutely need. Don’t keep anything that is too sensitive, such as credit card numbers, on your device. Consider writing purging algorithms that periodically tidy up the data held offline.
Encrypt sensitive data when it does need to be stored. Technologies such as IBM MobileFirst Platform can provide an encrypted native database called JSONStore, which has strong encryption. This addresses the second highest risk identified by OWASP, “insecure data storage.”
As I mentioned, a lot of standards, styles and techniques for developing mobile applications are still maturing, but that doesn’t mean that security must be immature. There are great platforms and technologies available that can take the burden of building and maintaining secure mobile applications, mobile infrastructures and data away from the developer.
Do you have tips or techniques that you use to build good security into your development processes? Leave comments here, or contact me on Twitter at @jmarshall1.