Mobile app dev teams looking to deliver innovative, high-quality mobile apps quickly to meet their business demands, must include security as early as possible and throughout the software development lifecycle (SDLC). While mobile has become the dominant means of accessing information, mobile DevSecOps maturity frequently lags behind web DevSecOps. If the security strategy is to test right before release then rush to fix security bugs, releases are often delayed or insecure code ships — but it doesn’t have to be that way.
Imagine spending months designing and developing a mobile app. Suddenly your project grinds to a halt during late-stage testing because a third-party API or library leaks data or a mobile app to server connection is misconfigured. You miss the release date and tempers flare.
Mobile app development brings new complexities beyond web app dev. Unlike web apps where all the code is on the backend behind a firewall, mobile apps must be written securely to guard against reverse engineering. From unencrypted data transmission over the network to insecure data storage on the device to weak server-side controls, there are more ways for things to go wrong, and fewer defenses in place to help avoid them. Because of mobile’s complexity and the speed at which mobile apps are developed and updated, the marriage of DevOps and security has never been more critical.
To deliver high-quality mobile apps faster, mobile devs must understand mobile threats, leverage secure coding best practices, find ways to automate security testing and lean into available tools and resources. Whether your team is beginning to develop mobile apps or you want to shore up the security of existing app development processes, apply these five top tips to speed delivery of secure mobile apps.
Standards-based testing and certification make a developer’s life easier. With mobile standards come predictability, better security outcomes and greater control. Dev and security teams that align on security standards and policy at the start of a development project gain speed and efficiency. Security standards can be applied throughout the lifecycle including app architecture, app design, app coding practices, app testing practices and app release process.
The Open Web Software Application Security Project (OWASP) community-led, open source effort establishes best practices in secure mobile application development, threat modeling and security testing.
Mobile application developers can with their security teams leverage the OWASP Mobile Applications Security Verification Standard (MASVS), which outlines eight areas of mobile application development and deployment and focuses on how mobile apps handle, store and protect sensitive information.
“OWASP is really there for both developers and security, and is oriented to best practices. It provides best practices for architecture, threat modeling, network communication—a playbook really for everyone.” – Brian Reed, Chief Mobility Officer, NowSecure
NowSecure offers training based on the MASVS with courses specifically for developers that includes the fundamentals of secure apps and how to write secure code.
Apple and Google have included key security APIs in the platforms and development environments to help mobile developers build secure apps. For example, encrypting all communication between a mobile app and all backends is critical. Devs can use SSL or certificate pinning where apps must verify the certificate comes from a trusted source, and must determine whether the endpoint server presents the right certificate. Often developers relax these requirements for convenience during early stages and fail to set network security properly according to standards.
Key security APIs created by the host OS should be used by default. App Transport Security (ATS) for iOS imposes extended security checks that supplement the default server trust evaluation prescribed by the Transport Layer Security (TLS) protocol. Android’s Network Security Configuration allows you to customize network security settings, lets you customize certificate authorities or pin the app to only specific certs.
Mobile application security testing has traditionally been a manual pen testing process: wait until an app is fully developed, click through an app UI, observe behaviors, connect to network setups and test across various devices. With the rapid increase in mobile app development velocity, manually checking for every issue in every build becomes infeasible. Automating highly repetitive tasks has become the only way for developers to scale output while ensuring security is built in.
Automating dynamic analysis of a mobile app binary is significantly more complex than automating static source code analysis, but yields more thorough security coverage and eliminates false positives. In benchmark analysis, static source code testing only finds 20% of the mobile app security bugs while dynamic finds the rest. Effective automated standards-based dynamic analysis leverages automated test runs on a physical device (rather than an emulator) to identify the widest range of security bugs at speed. Automated testing solutions such as NowSecure Platform conduct accurate, detailed assessments in minutes without slowing down developers.
Developers already have plenty of tools and don’t want to learn yet another one or change their workflow. Integrating mobile app security testing directly into the same toolchain that architects, developers and DevOps use to do their daily work reduces friction and provides fast feedback loops that improve the quality of builds.
Plugging a security testing tool directly into the dev pipeline with pre-built integrations enables autonomous, continuous security testing of each and every build. Whenever a CI/CD build completes in tools like Gitlab, Jenkins and Microsoft Azure DevOps, it triggers static, dynamic, and interactive security testing and automatically submits security and privacy bugs into ticketing systems like Gitlab, Jira or Microsoft Azure DevOps Boards. The systems do the work with no new tools, screens or radical workflow changes for the developers.
NowSecure Platform integrates with all major CI/CD and ticketing platforms.
Fast release cycles require quickly repairing security bugs. Mobile app developers should prioritize findings based on impact and severity to address the most critical bugs first. Providing them with highly accurate results and embedded remediation guides can shrink the mean time to repair from hours or days to mere hours or minutes.
Look for easily understandable mobile application security testing tool output that eases remediation. For example, the automated developer assistance feature in NowSecure Platform includes severity scoring, accurate evidence, detailed steps to remediation, and code snippets integrated with native workflow ticketing systems gives developers access to the resources they need in one place.
These five tips can help teams who are new to mobile app development, looking to optimize existing programs or embarking on the mobile DevSecOps journey. A standards-based approach and progressively automated tools and processes will help teams deliver secure mobile apps faster.
For more insight into developing secure mobile apps, download the NowSecure ebook, Best Practices for Secure Mobile Development ebook. And to see how automation can make your life easier, sign up for a demo of NowSecure Platform.