Mobile Application Security
Mobile Application security has msot of the challenges of web security and some additional ones due to the endpoint the app is running on.
One of the most important concerns with mobile is sensitive data. If an application is storing credentials, credit card information or other data, it needs to be extremely careful to avoid exposing those to other applications or malicious users that take possesion of the phone (through theft or buying one on ebay). Generally, the best practice will be not to store truly sensitive data locally on a phone. When storing data on a device, it is critical to understand what type of storage is being used and how it is shared between applications.
Since mobile phones are often used on different networks, it is important ot implement strong connection security. On a phone, this doesn't just mean SSL - it means TLS with certificate pinning if possible. In all cases apps should verify that the cert they are accepting is valid and matches the name they expect. All too often, mobile apps are vulnerable to MITM attacks because they are each implementing their SSL connection (unlike in a web app where the browsers handle connection security through TLS + HSTS, revocation checking, etc.).
Many phone applications can be reverse engineered or mimiced. It is important to think about how a user knows to trust your application versus a knock off with malware embedded in it.
Often, mobile applications ask for broad permissions to access contacts, location, shared data, etc. As a rule, mobile app developers should be cautious about requiring too much access.
Mobile applications often use 3rd party applications for tracking or ads. These should be understood and carefully considered before including them.
Resources
Support or Contact
Having trouble with the developer pages? Help us update them or [email protected] and we’ll help you sort it out. See something wrong? Get involved and help us fix it!