Hacking exposed mobile

Page 250

Chapter 8:

Mobile Development Security

mechanisms is patching. If anything is certain, it’s that your application will be found to have bugs after its release into the wild. Without a practical strategy to update it in the field, you are at the mercy of any hacker who stumbles onto it out there on the Internet. Fortunately, the mobile ecosystem has evolved an effective channel for maintaining your application and pushing security patches: the app store. Use this channel early and often. In fact, changing the anti-debugging and code obfuscation mechanisms on every update helps deter reverse engineering of your application.

Secure Mobile Application Guidelines We aren’t naturally inclined to “top 10”–type lists because they can shortcut more careful thinking, but we’re also aware that developers are busy creatures who want things in bitesized doses. So we’ve presented our guidance in a framework that maps to our experiences, helping mobile developers step through mobile app security design sequentially, from concept to coding, with key security checkpoints along the way. This framework was developed from years of working with mobile developers both as consultants and colleagues at organizations large and small. Our framework looks like this: Category

Security Considerations

Traditional web application security (plus)

Secure mobile services with web application security Creating a walled garden for mobile access Reducing session timeout for mobile sessions Using a secure JavaScript subset Masking or tokenizing sensitive data

Storing sensitive data on the device

Avoid it! Mobile device sensitive data Security hardware Secure platform storage Mobile databases File system protections

Authenticating to mobile services

Authorization and authentication protocols Always generate your own identifiers Implement a timeout for cached credentials

Secure communications

Use only SSL/TLS Validate server certificates Use certificate pinning for certificate validation

WebView interaction

WebView cache WebView and JavaScript bridges

Preventing information leakage

Clipboard Logs

221

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.