Five steps to choosing developers for your secure mobile app
Mon 8 Jun 2015
Ken Munro is a Senior Partner at Pen Test Partners, a penetration testing security group based in Buckingham. He recently conducted an ‘Android Live Hacking Demo’ at InfoSec 2015. Ken can be contacted at [email protected] or via his Twitter handle @TheKenMunroShow
Mobile marketing and gamification has seen an explosion in mobile apps, with businesses keen to establish a constant connection with their customers. But before you go commissioning that corporate app, a word of caution: once live, apps become ambassadors for the brand, with the power to kill as well as create traction. They need to be managed, updated and routinely tested to ensure they are robust, secure and compliant. So it pays to get it right first time.
If an app fails to deliver or is hacked, the fallout can be huge. In January last year, the Starbucks mobile purchasing app, used by more than 10 million coffee guzzling customers, was hacked allowing attackers to recover user credentials – full name, address, username, password, and email address – which were stored on the device in clear text. The mobile payments aspect also meant the hack could have allowed an attacker to carry out fraudulent transactions.
Familiarise yourself with frameworks like OWASP, NIST, SANS and others that detail what good security is and how it should be approached
Clearly security wasn’t top of the agenda when the Starbucks app was commissioned (although the vulnerability was quickly fixed). What it does demonstrate is that all too often the mobile app is the brainchild of the marketing department which then seeks the services of a third party outsourcer and assumes they will look after the security side of things.
Don’t try this at home
So how should you go about selecting and vetting an app developer? Firstly, any team commissioning software needs to keep the IT department in the loop. Secondly, don’t be tempted by DIY. Frameworks that allow a marketing team to design their own app may sound tempting but they tend to use a rigid templates, often making it impossible to access and test the code. Don’t be afraid to outsource as there really is no substitute for a skilled developer.
Good developers will give you what ask for, so think carefully about your requirements. Decide on the security approach you wish to take and use this to develop a scope of work or a specification which includes the correct controls. For example, if any of your systems are in PCI scope, there are PCI requirements you should adhere to and it’s down to the primary business to ensure it meets these.
Familiarise yourself with frameworks like OWASP, NIST, SANS and others that detail what good security is and how it should be approached. You can then use this knowledge to sound out the developer, asking them how they write applications that address security issues noted in the OWASP Top 10, for instance. Ask to see a copy of their secure application development lifecycle, as this will give a fair indication of how seriously they take security throughout the process.
At the bare minimum you should ask whether they secure client data at rest on the device and how do they secure client data in transit? Clear text storage (the Starbucks app) is a definite no-no. Other considerations include whether the developer uses source code control, practices peer code review, and performs unit testing. You should also look at contingency planning, in case things do go wrong. Will the developer fix any security bugs that arise, or will they be coming back to the business for more money?
Evaluating the host
Often third party developers offer hosting and managed solutions as well so if you’re paying them to look after deployment and management you really should take a detailed look at their security provisions. Do they run IDS/IPS and more importantly are they monitored and reacted to? Do they patch their systems regularly? If the service does go down, consider who will be liable. Is there an incident response plan? A disaster recovery plan? Are these put to the test periodically?
Finally, bear in mind that app security is never a given, making regular security testing a must. In August last year, a professor and students at the University of California Riverside and the University of Michigan showed it was possible to compromise 92 percent of the legitimate apps they tested. A malicious app was used to breach the security of bona fide apps, disproving the assumption that apps are self-contained and immune from interference. No doubt that particular bombshell will see plenty of app developers going back to the drawing board.