Securing Mobile Development: Nontechnical Solutions

It takes a lot more than a static analysis tool, a web scanning service, and a few paid hackers to make your mobile development lifecycle, team, and eventually, your applications secure. Finding flaws in an individual mobile application is easy (assuming you have the right technical skill set). What is a lot harder is actually stopping the creation of mobile application security flaws in the first place.

To achieve the lofty goal of a truly secure mobile application development program takes a rethinking of how we have traditionally secured our applications in the past. Mobile development brings many changes to enterprise engineering teams including additional new device sensors, privacy impacting behaviors that cross the security chasm between consumer and enterprise isolation, and even faster release cycles on the order of days instead of months. Smaller teams with little to no experience in security are cranking out mobile applications at a fevered pace. The result is an accumulation of security debt that will eventually be paid by the enterprises and consumers that use these applications.

Forrester interviewed some of the most prominent application security consulting and research firms to help understand exactly what nontechnical development risks enterprises have and what they can do to secure their mobile application development process. There are lots of tools and services around that can help with the technical steps required to secure mobile development, but these can only take you so far. Changing the culture of your organization and development teams can go a long way to improving the security of the products you create thus improving your user experience, brand, and even revenue. More detail can be found in my latest report: "Address The Top 10 Nontechnical Security Issues In Mobile App Development." At the end of the day, security isn't only a technology problem, it's a people and process problem, and understanding the nontechnical steps to improve can only help your business.


Secure your Mobile Application Development

Developers building mobile applications need to understand the threat model for the system they are building as well as understanding that the mobile application development itself is only part of the system that attackers will attempt to compromise. Input that crosses a trust boundary should be positively validated and should not be used to make critical security decisions.

Also, developers must be careful about what data is stored on the device because devices may be stolen or otherwise fall into unauthorized hands. Access permissions for local files and databases are also important because device owners might unwittingly install other application on the device that are malicious. Network communications can be sniffed and potentially modified in transit, so care must be taken when communicated sensitive data to and from the device.

Secure architecture and design principles can be useful when beginning the development of a new application so that possible concerns are known up-front. The recommendations drawn from these design exercises must then be implemented during development, and often the implementation of these requirements has platform-specific concerns.


"What is a lot harder is

"What is a lot harder is actually stopping the creation of mobile application security flaws in the first place."

Most enterprises don't have any kind of process in place to keep security top-of-mind during the whole development cycle. But if you're just trying to retroactively fix things chances are a lot of issues are getting missed or so buried that you won't actually be able to find them.