The stakes have never been higher for developers to know how to build security into their applications from the very start. "There's more work they need to do to make mobile apps secure upfront because they can expect less security by default," said Stephen Lombardo, senior developer and founder of Zetetic.
Developing a secure mobile application for smartphones or tablets is like running through a technology minefield. If you are not careful, something is likely to blow up.
The devices are inherently vulnerable to hacking, theft or loss and can serve as on-ramps into enterprise and/or home networks. Wireless network connections may not be encrypted properly. The use of non-standard API libraries, patches and shared code found on developer forums, GitHub, Stack Overflow or from third-party companies may introduce vulnerabilities and privacy issues into your app. Cross-platform development tools can themselves introduce security problems. Finally, even if your application is securely operating, what's to say the other 10 to 20 applications running on the device are?
Given this backdrop, the stakes have never been higher for developers to know how to build security into their applications from the very start.
"The developer has a greater responsibility to secure the application," said Stephen Lombardo, senior developer and founder of Zetetic, the software firm that developed the open source SQLCipher encryption library. "There's more work they need to do to make mobile apps secure upfront because they can expect less security by default. "
"Security is not a check box," added Dave Sobel, director of partner community for Level Platforms, a managed services and software solutions provider. "It's not a simply a feature that we add to the application."
"Data management, authentication, auditing — you can only really assure it's done correctly by thinking about security from Day One," said Sobel, who chairs the CompTIA Mobility Community. "To do it later is never as good. It takes so much longer, and never is as effective."
The Current Landscape
You can only really assure it's done correctly by thinking about security from Day One. To do it later is never as good. It takes so much longer, and never is as effective.
But to what extent are developers — from coders in a coffeehouse to enterprise-grade firms — building security into mobile applications from the ground up?
"For the most part, it's still very nascent," said Lombardo. "Most applications don't really do anything to secure user data or do anything serious to secure communications with remote servers."
Some contend that developers coding mobile apps for the finance or healthcare sectors are farther along the security learning curve. But Jack Walsh, mobility programs manager with ICSA Labs, the independent division of Verizon that has long tested and certified computer and network security devices and now additionally tests mobile apps for enterprises, cautioned, "I don't know if it's a safe bet that financial institutions have done any better than anybody else."
For example, Walsh recalled how a major bank (not ICSA Labs' client) found out that its Android app improperly accessed a phone's camera when running. Why? A third-party developer recycled code that it developed for another customer and used it in the bank's app. Concerned about exposing sensitive customer data and needing to maintain regulatory compliance, the bank "was very upset to find out that this was happening," Walsh said.
Open source libraries and code from public forums are making it into applications more often than people realize, contends Walsh and Jack Mannino, who heads the Mobile Security Project, an online resource for mobile application developers that's hosted by Open Web Application Security Project.
"Sometimes its vetted, sometimes it's not," said Mannino. "You don't really know what you have until you do your own scrutiny on it."
Securing the Unsecure
The mobile application environment is particularly challenging for numerous interconnected reasons.
"The app developer can't make any assumptions that the actual client device is in any way shape or form hardened, locked-down or updated," said Mannino. In addition, these powerful devices are data-rich targets — potentially packed with email, passwords, images, credit card numbers, GPS coordinates, plus any information pulled down from web services and servers. "There is constantly really sensitive stuff going through these applications," said Mannino.
Because the devices are interconnected often through unsecure means with laptops, desktops, networks and back-end services, mobile app security has to function not only on the smartphone and/or tablet, but also through the entire mobile channel into enterprise or home networks.
Good quality code is one issue, "but another big issues is process," said Ted Eull, vice president of mobile services at viaForensics, a leading mobile security firm. "You can have a great team and really intelligent developers, but you can't ever assume that the code is security bug-free. You have to build and test — for feature functionality and also security."
New Awareness, New Tools
The industry is responding to the challenges of improving mobile app security from a myriad of angles, including raising awareness, informal and formal collaboration, and improved development tools.
On message boards and developer forums, "security comes up a lot more now than in the beginning," said Lombardo.
The multi-platform nature of mobile apps and the limitations of current development tools have sometimes hampered mobile app security. For iOS, Android, Windows and Blackberry, "Each of the platforms take a slightly different approach to security, notifications and authentication," noted Sobel.
But Sobel, Lombardo and others expect the evolution of development tools to help make it easier to write secure mobile apps. Cross-platform mobile app development tools, like IBM Worklight and PhoneGap, are making improvements.
"The newer technology emerging — HTML5, CSS3, JQuery, JQuery Mobile — will help the developer overcome these challenges," said Yuvaraja Manickam, Head – IDEA Lab R&D of ZSL Inc.
"Even today, vetted, pre-built, security libraries can help address some common security issues with minimal additional development," said Lombardo. "Hopefully, more of the problems we have today are going to be solved at the framework level in the future."
"It's early," added Mannino. "We'll eventually get to maturity, but we certainly are not there yet."
In the interim, industry organizations, including OWASP, CompTIA and others, are offering tools and resources to help developers improve the security of their mobile apps. The OWASP Mobile Security Project offers developers a wealth of best practice resources, including its list of Top 10 Mobile Risks, which was introduced in 2011 and is due to be revised soon. Zetetic is working with The Guardian Project to also promote open-source mobile app security tools and techniques.
For its part, CompTIA has partnered with viaForensics to develop and launch the CompTIA Mobile App Security+ certification for mobile app developers. This exam comes in two editions (one for iOS, one for Android) to certify that the successful candidate has the knowledge and skills required to develop secure native mobile applications that ensure secure network communications and backend Web services. A beta exam, an integral part of the exam development process, is available today. "Looks like good introductory level information for mobile developers to establish something of a floor for skills and knowledge," said OWASP's Mannino, after reviewing the exams' objectives.
>RELATED: CompTIA Mobile App Security+ Getting Ready to Launch with Beta Exams
A member of CompTIA's Mobility Community, Manickam expects the market demand for mobile app security skills to significantly increase. He believes the Mobile App Security+ certification is an important tool for employers to evaluate whether a mobile app developer has a command of fundamental security best practices. "From my perspective that's very important and very useful," he said.
