Chapter 8:
Mobile Development Security
mechanisms is patching. If anything is certain, it’s that your application will be found to have bugs after its release into the wild. Without a practical strategy to update it in the field, you are at the mercy of any hacker who stumbles onto it out there on the Internet. Fortunately, the mobile ecosystem has evolved an effective channel for maintaining your application and pushing security patches: the app store. Use this channel early and often. In fact, changing the anti-debugging and code obfuscation mechanisms on every update helps deter reverse engineering of your application.
Secure Mobile Application Guidelines We aren’t naturally inclined to “top 10”–type lists because they can shortcut more careful thinking, but we’re also aware that developers are busy creatures who want things in bitesized doses. So we’ve presented our guidance in a framework that maps to our experiences, helping mobile developers step through mobile app security design sequentially, from concept to coding, with key security checkpoints along the way. This framework was developed from years of working with mobile developers both as consultants and colleagues at organizations large and small. Our framework looks like this: Category
Security Considerations
Traditional web application security (plus)
Secure mobile services with web application security Creating a walled garden for mobile access Reducing session timeout for mobile sessions Using a secure JavaScript subset Masking or tokenizing sensitive data
Storing sensitive data on the device
Avoid it! Mobile device sensitive data Security hardware Secure platform storage Mobile databases File system protections
Authenticating to mobile services
Authorization and authentication protocols Always generate your own identifiers Implement a timeout for cached credentials
Secure communications
Use only SSL/TLS Validate server certificates Use certificate pinning for certificate validation
WebView interaction
WebView cache WebView and JavaScript bridges
Preventing information leakage
Clipboard Logs
221