12 ways to slingshot your business into the mobile era SECURELY published on Mobile App Training
New Post has been published on http://www.mobileapptraining.com/12-mobile-security-tips/
12 ways to slingshot your business into the mobile era SECURELY
Make someone responsible for mobile security.
Your team should include at least one person responsible for considering security at every stage of your app’s development. If you’re running a solo operation, that person is you. It’s easy to assume someone else is handling security — whether that someone is a mobile operating system provider, a device manufacturer, or another member of the development team. It’s true that everyone has a role to play, but as the developer, you’re the final line of defense.
Take stock of the data you collect and retain.
Practice data minimization: Don’t collect or keep data you don’t need. For example, if your product inventory app doesn’t require access to a user’s contact info, don’t ask for it. Simply put, data you don’t collect is data you don’t need to worry about protecting. Avoid keeping data longer than you need to.
Understand differences between mobile platforms.
Research the different mobile platforms you work with. Each mobile operating system uses different application programming interface (APIs), provides you with different security-related features, and handles permissions its own way. Don’t expect that one platform works exactly like another. Do your research and adapt your mobile code accordingly.
Don’t rely on a platform alone to protect your users.
Mobile platforms often provide helpful security features. But it’s your job to understand those features (and their limitations), implement them properly, and take other measures necessary to protect your users. In addition, while platform-based permissions might be helpful in conveying security information to your customers, they’re no substitute for your own effective communication. Talk to your users in your own words.
Generate credentials securely.
If you create credentials for your users (like usernames and passwords), create them securely. For example, a short number string might be an appropriate token for authenticating a user on a game score board, but the same credential wouldn’t be appropriate for a social networking app or critical line-of-business application where strong credential security is critical.
Use transit encryption for usernames, passwords, and other important data.
Anytime your mobile app transmits usernames, passwords, API keys, or other types of important data, use transit encryption. Mobile devices commonly rely on unsecure Wi-Fi access points at coffee shops, airports, and the like — and it’s easy for troublemakers to snoop and intercept connections.
To protect users, developers often deploy SSL/TLS in the form of HTTPS. Consider using HTTPS or another industry-standard method. There’s no need to reinvent the wheel. If you use HTTPS, use a digital certificate and ensure your app checks it properly. A no-frills digital certificate from a reputable vendor is inexpensive and helps your customers ensure they’re communicating with your servers, and not someone else’s. But standards change, so keep an eye on current technologies, and make sure you’re using the latest and greatest security features.
Use due diligence on libraries and other third-party code.
Before using someone else’s code to build or augment your app, do your research. Does this library or SDK have known mobile security vulnerabilities? Has it been tested in real-world settings? Have other developers reported problems? Third-party libraries can save time, but make sure you stay accountable for your mobile app.
Consider protecting data you store on a user’s device.
If your app handles personal information, consider protecting or obscuring the data — for example, by using encryption. Some platforms have special storage schemes for sensitive data like passwords and keys. Use them if they’re available. This helps protect your users in the event of viruses, malware, or a lost device.
Protect your servers, too.
If you maintain a server that communicates with your app, take appropriate security measures to protect it. If you rely on a commercial cloud provider, understand the divisions of responsibility for securing and updating software on the server. While some commercial services will monitor and update your servers’ security, others leave you in control.
Server security is its own complex topic, so do some research. Take steps to protect yourself from common vulnerabilities, including injection attacks, cross-site scripting, and other threats.
Don’t store passwords in plaintext.
Don’t store passwords in plaintext on your server. Instead, consider using an iterated cryptographic hash function to hash users’ passwords and then verify against these hash values. (Your users can simply reset their passwords if they forget.) That way, if your server suffers a data breach, passwords aren’t left completely exposed.
You’re not done once you release your app. Stay aware and communicate with your users.
Even after you ship your app, stay involved. New vulnerabilities arise daily, and even the most reputable software libraries require security updates. Follow general and library-specific mailing lists and have a plan for shipping security updates if needed.
Check your inbox, too. User feedback can help you spot and fix security vulnerabilities. When they discover vulnerabilities in your mobile application, researchers often try to resolve the issue with developers before publishing their findings. It’s best to be part of that discussion early on.
If you’re dealing with financial or health data make sure you understand applicable standards and regulations.
If your app deals with health or financial data, ensure you’re complying with relevant rules and regulations, which are more complex.
What does this mean to you?
To keep your workforce engaged they need mobile access to get their work done. The best way to provide that access securely is to understand the technical issues and how to eliminate or mitigate them so that your enterprise data remains secure. This comprehensive security also means that the mobile devices don’t become unauthorized access points into your company’s assets. The best place to get this knowledge is from our world class instructors that have spent years working on mobile platforms for both our government and commercial clients. Come see for yourself at mobileapptraining.com
Get Social:
About.Me | Enthuse.ME | Flavors.ME | LiveJournal | Plurk
@mobileapptrain #mobileapptraining #mobileappdevelopment #getmobileready #mobileappsecurity













