Securing mobile app development projects is always about striking the right balance of security mechanisms.
IT leaders must safeguard everything that requires utmost protection within the specified budget. On the other hand, they must be aware that it’s impossible to create environments that guarantee full app security. Striving to do so is bound to affect the business or application quality. It’s also likely to incur hefty bills and delay the release date. How not to take security too far and release a mobile application that is “secure enough” within the assumed schedule and budget? Follow these seven fundamental practices to stay on the safe side.
Define a “secure-enough” application
Mobile security should always be taken into account at the very outset — before you start writing the application code. Approach every mobile app development project individually, not only from the technical perspective but also from the business side, to grasp the full context and identify the potential threats and security vulnerabilities.
Understand the business context
The type of business and its processes have a great impact on security measures. An application of an intelligence agency or a bank will require a different level of security than a news outlet. Regional regulations, such as GDPR, can also affect the new application, so IT leaders must be prepared to prioritize accordingly.
Understand the biggest threats
There are four key questions you should answer to identify the key security mechanisms required in a given project and the ways to mitigate the risks:
- Where will an attack incur the gravest damages?
- Which area of the mobile app is the easiest to attack?
- How to secure these areas?
- What damages would be acceptable, bearing in mind the impossibility of ensuring full security?
By answering these questions, you can create a threat model for your mobile application development project that will help you select the relevant technologies and providers. Together with the client, determine the requirements for your “secure enough” application and make sure you are on the same page as the project unfolds.
Know your limits
Don’t fake it till you make it! If you’re unable to deliver on some of the client requirements, make it clear upfront. Otherwise, you will deliver low-quality software that doesn’t meet their needs or miss the deadline as you try to figure out the specification.
In fact, the consequences may be much more damaging: a failed project will certainly cost you your reputation, future clients, and ultimately, the business.
Once you find out the proposed deadlines are too tight, that the client is asking for something risky, or that perhaps you will require hiring an external specialist or partner, signal it immediately. Instead of taking the risk of becoming an infamous mobile app case study, opt for a safer path and pass on the project if you are incapable of delivering.
Benefit from the variety of tools and best practices
Know the security tools you’re using inside out and always read the relevant documentation, especially when you start using a new solution. Security is a shared responsibility — the tech provider will equip you with the tools, but it’s your responsibility to correctly configure them. Perhaps you will require a specific license to secure the entire infrastructure?
In addition, take full advantage of these basic security measures, mechanisms, and tools:
- Multi-factor authentication: raises the level of security in any project, also of the development environment.
- CI/CD pipelines: weave static code analysis into the code to detect grave errors in a cost-effective way.
- Automation: automate every security audit you can, but do it wisely = in a way that allows you to avoid routine. Great tools include Prowler (for auditing AWS infrastructure), Checkov (for scanning the docker containers), and Bandit (for Python). However, these won’t work if you haven’t read and understood the code first!
Also, follow these fundamental practices:
- Distribute responsibility by ensuring code review: don’t push the code, but request to have it introduced to the repository instead. It ensures review and keeps the repository clean.
- Use environments per their role: never test during production.
- Do not work while logged in as root/admin: always use accounts with limited permissions.
- Manage permissions and access control diligently and wisely.
Don’t believe in magic
There are multiple off-the-shelf security solutions available on the market that promise to solve all your problems and free your hands of all the responsibilities. However, such magical solutions simply don’t exist.
Marketers only give you part of the truth. You can definitely benefit from some of the existing solutions, but configuring them the right way is another part of the equation.
Every time you are about to use a new security tool, read the documentation thoroughly so you know what you are about to work with and how to use it properly. Otherwise, you will be generating additional security threats. Automate whatever you can, but be rational about it — you may not always need the extra solutions that sellers offer.
Agility of the project team is crucial! Every team member must understand the need to acquire different roles throughout the project. The development team doesn’t merely deliver the code, but has to look for potential security flaws or security breaches and alert the client when something they demand is too risky.
At the same time, the quality of the project is a collective effort of the client and the team. This means that your people don’t have to know everything, but know what questions to ask and where to find what they need. Our top picks?
- OWASP Top Ten
- OWASP Application Security Verification Standard
- OWASP MASVS
- CIS Benchmarks
- CIS Workbench
- National Institute for Standard and Technology
Mobile applications developers must follow the trends and technology providers’ developments if they don’t want to fall victim of routine. Do not get used to components you work on as they may become outdated or discontinued. Working with such components is risky, so update your tools regularly (and automate whatever you can).
Also, remember to keep all the environments unified. Avoid a scenario in which your different environments have different software versions — it will help IT professionals implement and execute the security policies smoothly.
Ensure post-work clean-up
Before you consider a project completed, clean up the remaining “trash.” Development environments will generate costs if you don’t delete them. They will also allow potential attackers to better understand your application.
Always assume that once you’ve uploaded something to the web, it will stay there forever, so if there is something you cannot fix or remove, hide it behind a firewall.
Also, remember about completing any outstanding documentation for the prospective users and future admins. Documenting the project on a regular basis will certainly make it easier at the end. Finally, revise the permissions and access control settings.
Improving security in a mobile app development project
It’s impossible to fully secure and have complete control over your mobile app development projects — there are too many variables to address as threats continue to increase in number and complexity.
You cannot cover every aspect of your tool with tests. You can, however, ensure a satisfactory level of protection. “Secure enough” applications are shielded against the most serious threats, while allowing the solution and the business to function smoothly and efficiently.
How to design an efficient mobile appsecurity system? In cooperation with your client, start by looking at the business context and identifying the potential threats. This will help you understand what requires utmost protection and how to best achieve it. Then, benefit from the existing safeguarding tools and practices, but remember it’s your job to properly configure them.