Security boosts the quality of the final product
Seeing that mobile security is very often neglected and having the experience required to address this problem, our team at Netguru came up with a solution. We created the Mobile Security Review best practices - a full-scale analysis of a mobile app’s security.
The security review is done in five steps:
- We review the project to better understand the code, structure, and purpose of the application.
- We make a list of the application’s elements responsible for introducing risk to the project.
- We prepare a list of the security features that should be implemented for all the risky elements and then we check if all the required security features are in place.
- After the analysis, if needed, a rescue plan is created - we prepare the list of security actions which should be implemented.
- Finally, we prepare a report defining the security level of your product and suggestions on how to ensure it in the future.
The Mobile Security Review is based on The Open Web Application Security Project (OWASP) Mobile Security Testing Guide (MSTG). It is based on the simple idea of adjusting MSTG to your needs, so you don’t need to prepare the whole OWASP checklist and can just focus on functionalities which pose a real threat to the system. It is designed to be easy to integrate with your Continuous Integration and Continuous Delivery process and, since it’s agile, it can change together with your product. Moreover, MSTG is managed by the community and is based on best practices and international standards. Finally, our Mobile Security Review is an open source solution.
Enhance your app safety with our Mobile Security Review Guide
We created open sourced guidelines for Mobile Security Reviews, which are available here.
Why did we create this process?
- We wanted to improve mobile security at Netguru
- We needed one source of truth that is shorter than 50 pages (so every mobile developer can read it in a short time)
- We aimed to share the knowledge with the community, so everybody knows what to pay attention to and what are the risks
What does our security document include?
- Risks analysis: risk of compromise and its impact
- Classification and prioritisation of vulnerabilities
- Planning on the basis of the prior prioritisation
- Report: how should it look, what should it contain?
What are the benefits of MSRG implementation:
- Independence - You can analyse your app on your own
- Better knowledge - You get security tips, especially useful for developers and tech enthusiasts
- Time save - You can use a single source of truth to get all the information
- Reliability - Based on OWASP
The benefits of using a Mobile Security Review seem clear-cut. The review increases the security and quality level of the product, but above all it makes you realise how secure your users’ data is.
“Developing a social care platform like Helpr, we've always been concerned for the security of the product. Given the profile of the application, we are constantly handling sensitive data, such as health condition, name, and address. So we couldn’t allow for any disclosure of client data. Thus, a couple of weeks ago we had Helpr’s security reviewed and this gave us vital information. Luckily, there was no reason to be alarmed and no need to apply emergency fixes. However, the improvements proposed in the report are something we'll surely have in mind when planning the scope for the new iterations. An unbiased analysis of a project is always a valuable insight for the project team.”
Filip Kozłowski, Project Manager at Netguru overseeing the development of Helpr
With Mobile Security Review everybody wins
A Mobile Security Review ensures correct project development, setup, and overall code quality. This is due to the fact that it covers a large number of sensitive areas such as risk analysis, data protection, reverse engineering protection, anti-tampering, encryption, communication, key management and many more, making it very valuable to product owners. An MSR helps to make your app less vulnerable to security breaches and better protected against financial and reputation loss, as well as potential legal problems.
Getting a Mobile Security Review done is a win-win situation for both the owners and the users. The owners win a reliable, high quality product, which gets better positioning in stores and better reviews. A better quality product enhances users’ personal data security and trust for the product. This in turn translates into bigger demand and business growth.
Thus, if you want to upgrade your project’s security level, contact us - together we will perform the review of your mobile product.