Developers of mobile applications must address all of the security concerns that traditional application developers do, and they must also handle additional concerns. The most popular mobile device platforms use modern operating systems that were designed with security in mind from the initial stages. However, developers still need to understand the unique threats and issues imposed by mobile platforms. Here are five tips to avoid the pitfalls mobile developers commonly fall into when pushing out a customer-facing mobile application:
1. Network bandwidth limitations and power consumption are always a concern. Security measures should not take up excessive bandwidth and must not be excessively chatty. Furthermore, keep-alives and other techniques that create an ongoing network dialog that the user is not aware of may use excessive power.
2. Forcing users to perform tasks that are accepted on a desktop system may be unacceptable to users of mobile devices. The most common example is a repeated prompting for a password. A developer that creates their own storage method for passwords is likely putting the password at risk.
3. Mobile developers also need to take into consideration the possible presence of malware on the device which might be trying to use the same system APIs to access sensitive cached data. The developers need to understand the limitations of the system APIs and what additional controls should be implemented when this situation may exist.
4. Mobile developers also need to be very aware of session fixation issues and session termination. In the case of web browsers, non-persistent cookies are normally destroyed. However, in many cases the mobile environment is different. When user switches from the web browser to using another app, the web browser doesn’t destroy the non-persistent cookies. The user might never actually terminate the session. One potential side effect of this problem is that changes to a user’s authorizations might not take effect until a session is properly terminated and re-established.
5. Mobile users may transition across multiple networks during a single use of an application. For, example they might start on a Wi-Fi network at home, walk down the street and transition to the cellular network all while using the application. The developers need to ensure this does not affect session fixation.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.