Apple CEO Tim Cook noted at the company's Worldwide Developers Conference in June that there are more than nine-million registered mobile application developers, a 47 percent increase from last year. While it's exciting to have more individuals bringing their skillset and creativity to the industry, this explosion of developers and new apps is accompanied by an increased threat of malicious attacks.
It is essential for you as developers to be familiar with the latest security practices. It protects your reputation, keeping the focus on the innovative apps you create instead of on that potential incident when your oversight resulted in user data being compromised.
Many developers mistakenly view the mobile landscape as immune to threat. This false sense of security leads some developers to skimp on precautions, resulting in serious information breaches such as that of the Fandango app earlier this year. The truth is that mobile app security is just as crucial as Web security. Mobile apps are an entry point into the secure areas of an enterprise, and the responsibility of being sure that gate is appropriately defended falls to the developer.
Even developers with good intentions may not be well versed in all that is necessary to protect users. I often hear security talked about in very abstract terms. Developers think, "I've got to make sure my app is secure," but many don't know what that actually means or what resources are available.
I'd like to share five things I recommend developers do to protect apps:
- Rethink security and integrate it into development. Some of the most common mistakes I've seen center on isolating security as a single step in the process. Security should be holistic and systematic. Gaps often occur when developers try to cobble together a security plan at the end of development. I've also seen many developers do an excellent job securing parts of their code, but they neglect to take a step back and look at their entire codebase.
- Know the basics. An important early step is learning what the basic security threats are. One invaluable resource is the Open Web Application Security Project (OWASP) Mobile Top 10 report. It details the 10 most critical security threats to mobile applications. It is updated each year and should be referenced regularly. This is especially important for new developers. It may seem basic, but following OWASP's recommendations will keep you abreast of the measures you should be taking.
- Use a tried-and-true security scheme. Don't try to reinvent the wheel. All the major operating systems have NIST-certified crypto frameworks that have been aggressively vetted by experts. Developers who try to make their own scheme often end up vulnerable to breaches.
- Protect data at rest. Handling data at rest can be a vulnerable situation, especially if you gather any sensitive data. There are many options that stave off attacks to your data at rest, such as erasing the data as soon as you are able, shutting down anything you don't need in your production environment, and implementing an asymmetric encryption solution. The latter ensures that data at rest is secure, as the private keys that can decrypt the data are never actually present on the device.
- Implement certificate pinning. The issues Apple had with iOS 7 and OS X and a "goto fail" bug should be a lesson to all developers. This bug bypassed the SSL certificate and did not verify that the certificate was authentic. Although it's important to use SSL, this isn't enough if you're not ensuring your certificates. You need to make sure you are actually verifying your certificate back to the source to avoid any attacks that could come during requests.
Attacks on mobile apps will only increase as smartphones and tablets become our preferred screens of choice. It won't matter that your next app is an epic success if it is not properly structured. Keeping an eye toward developing securely will protect not only those who use your app, but also your own reputation and professional future.
Jared Blake is the CTO of Moki, a company specializing in mobile app security and operations management. He is a participating member of the PCI Council Mobile Taskforce and the OWASP Mobile Security project.