It is a commonly seen practice to perform security testing of applications during the QA stage, after developing their code. In all such cases however as security bugs get uncovered at the later stage of development, a great amount of rework gets involved before the application release. There by causing issues like delays, unverified security-fixes, temporary exceptions etc. And especially in case of Mobile apps these fallouts get far more expensive.
Most of the major security flaws seen in mobile apps are related to its design. And moreover the mobile apps are more prone to attacks than web based applications considering the susceptibility of the mobile device. In case of mobile apps the logic that resides with the app on the mobile device is always at the risk of getting tampered or exposed to hackers, as it can be reverse engineered in most cases. And thus protection of such client side logic has profound security implication, and it is desirable to handle this issue while developing the app so that the reliance on the client side logic is kept minimal, rather than having to rework on it at the end.
Likewise, many other aspects related to the mobile apps, as the ones listed below, are also highly crucial with respect to security and if desired security standards are not met in them, they may call a major rework in the app. These include:
- Use of local mobile device storage for offline view
- The nature of authentication, whether it is local or server based
- Use of third party frameworks and integrations
- The mechanism to transmit user data to the server
- The logic to grant role based access to the user
- Storage of encryption keys and other secrets, in case they are being used
- Interaction with other apps
Any security flaws in these aspects would amount for major application redesign, like change of complete authentication logic, say from local authentication to server based or use of OTP based authentication, Migration of some of the logic to the server side, replacement of insecure APIs or frameworks, change of encryption logic with secure key storage, etc. All such changes at the final stages of application require significant investment of time and money.
In order to avoid such rework, it is imperative to understand the security requirements to be incorporated into the application at the design stage. This can be achieved by reviewing the app design for necessary security controls. Developing a threat model for the app at this stage, using references like OWASP Mobile Top 10, STRIDE, etc. can help enumerate all such required security controls to be built into the design or changing the design in order to meet the security needs of the app. Reworking the app design is much less expensive than reworking the finished app!
Thus, thinking security at an early stage of the app development will help reduce the rework required at the end and help build security in at the right time, as required by the app.
So, if you are already conceptualizing a mobile app or if the app is at an early stage development, take a look at the security checkpoints for the app.