Mobile phones are in the pockets of every single customer you have out there. It makes sense to place yourself in that pocket using a mobile app to showcase your expertise, innovation, and product to your customers.
With pressure added by non-techie directors and managers, it’s easy for development teams to push security considerations to the back burner in favor of speed benefits and jazzy features, causing potential security holes and attack vectors.
During the TheAppLabb mobile app development cycle, they consider these three coding practices essential for each project.
Security By Design
Getting wrapped up in building your initial app idea or improving a feature is easy. Some will create the framework insecurely to “see how it looks,” then add the security later.
Security protocols and procedures also have a reputation for using time and resources that could otherwise optimize the user experience and app speed. This attitude is quite dangerous. Both have a valid place in the Software Development Life-Cycle (SDLC), but neither should be considered an afterthought.
Considering security by design ensures any insecure code you’ve written isn’t missed on review and pays off in the long run with your customers and company data protected against threat actors.
With the risk mitigated throughout the process, you’ll actually reduce your time and monetary costs with no need for large-scale code reviews close to launching.
Threat Modelling
With “Security-by-Design” in mind, threat modeling is a practice that will help your development team identify, mitigate, and remove threats from their code efficiently.
Secure coding requires identifying potential threat locations and conducting four actions;
Document the threat and any actions taken in a shared resource or risk register. Locate the section of code or function that is causing the danger. Address the security issue identified by either changing the code or removing it. And finally, validate your fix has resolved the potential threat.
With a regularly updated resource or register tracking these alterations and threats, your development team can identify insecure patterns in their coding behaviors, conduct regular reviews on coding practices, and display your commitment to code security.
Integrating this into your SDLC at each stage is essential for secure coding practice.
Up-To-Date Cryptography
Make sure the cryptographic algorithm you’re using is up to date and, crucially, relevant. In some countries, using an outdated algorithm can have legal and regulatory implications and could result in a fine or prosecution, so it’s best to ensure your team is aware of these rules!
Older key styles such as SHA-2 or DES are considered less secure and can allow attackers to break your code and hack your mobile app using brute-force tactics.
Android and iOS development teams should pull the most recently available cryptographic algorithms from the relevant stores that best suit the application design. When publishing, the team should sign with as secure a key as possible (2048 bits or higher).
SecRandomCopyBytes (iOS) and SecureRandom (Android) help generate random, secure strings.
KeyChain (iOS) and the KeyStore class (Android) are secure storage locations.