API Development

Five Practices for Secure Mobile Apps

App Security

By now, just about any IT pro or CIO has read dozens of stories on the Heartbleed bug, which exposed a flaw in the open-source OpenSSL cryptography library, which hundreds of thousands of websites and mobile apps use to secure data in transit. Heartbleed is a big deal, but for most IT pros and CIO’s, it only illuminated what they already knew – that mobile security is one of the most pressing issues for them in 2014.
Specifically, mobile app security is paramount for any enterprise today. As is true in traditional application (desktop and web) development, security cannot be an afterthought for mobile app development. It needs to be a consideration throughout the entire lifecycle, from planning, development and testing to release and analysis.
That’s why, at Appcelerator, we’ve baked numerous security capabilities into our Platform to enable your development process at every turn.
See, the way mobile apps are developed and the speed with which they’re delivered means a set of challenges quite different from traditional apps. A crucial focus for mobile app security must be on the client side – at the device or app level – and at Appcelerator, we’ve enabled five key security capabilities:

1. Source Code Encryption

Mobile app security works differently than it does for a traditional application. If you’re a developer building a web application, for example, your code and business logic resides on a secure backend web or application server in the data center, or in the cloud. The client side of a website, for example, is really just a user interface, accessing functionality and data from these backend servers via the Internet.
But with native mobile apps, much of this code resides on the client providing both the UI components as well as any local business logic.
With the app code on the device, it’s potentially vulnerable to anyone that’s downloaded your app. A malicious user that has downloaded your app can potentially view your code, and:

  • Access your IP,
  • Reverse engineer the app, inject malicious code, then re-publish back to the app store (in the case of Google Play) or
  • Comb your code, identify vulnerabilities and target other users of your app

You need to keep your code secret. That’s why we support encryption for the code in your apps. JavaScript, for example, is fairly easy to read and understand. Obfuscation and minification can help make it more difficult to interpret, and is certainly better than nothing, but encryption provides the highest, most reliable security rendering it completely unreadable.

2. Database Encryption, and 3. File-level Encryption

The varying bandwidth and connection quality on mobile devices doesn’t just mean that more client-side code is required, it also means more data is stored on the device. Again, the Web enables desktop applications which assume an ever-present and reliable connection – but for mobile, it often needs to reside on the device itself, whether temporarily or permanently.
The nature of this difference has a major impact on security, introducing concerns that traditional applications simply don’t have to contend with. Many developers use the mobile database SQLite Database, or store the data on the local file system. These don’t encrypt data by default, which is why we built the Appcelerator SQLite Encryption Module and offer file-level encryption across all supported OSs. These options allow enterprises to preserve the user experience by storing data on the device, all without sacrificing security.

4. MAM/MDM Integration

If you need any evidence that the rise of BYOD is real – and huge – just look at the momentum in the mobile device management (MDM) space recently. Good Technology just last week filed for an IPO, as did MobileIron and Airwatch was acquired by VMWare.
Employees today demand the ability to access their apps and data on the devices they use outside work. To make this happen while mitigating associated security concerns, MDM and mobile app management (MAM) solutions have risen to the occasion, offering features that help CIOs rest easy when it comes to the security of sensitive data.
MDM/MAM products solve for the vulnerabilities that come along with allowing employees to access company data on personal devices. Organizations can:

  • Create enterprise app stores for distribution
  • “Wrap” employee-facing apps with security layers to protect and manage its data
  • Set up controls that allow specific individuals to access as much or as little data as necessary
  • Remotely wipe data from devices of employees who no longer need access

The features these companies offer are crucial to enterprises, which is why the Appcelerator Platform integrates with MDM/MAM vendors like Airwatch, MobileIron and Apperian, to name a few. This way enterprises can ensure that apps built using the Appcelerator Platform can also deploy apps to the enterprise app stores and guarantee security at all times.

5. Protection of Data In Transit

Time to market is key in the new mobile world, and developers building mobile apps often work in a fraction of the time they would to build a web application. In the rush to put out mobile offerings, unfortunately, a lot of apps that are already out there don’t have the appropriate levels of security.
For example, sensitive information being sent from the client to backend servers needs to be protected to avoid privacy leaks. While this seems like a no brainer for those familiar with web security, the immaturity of mobile development means many mobile apps out there today aren’t providing this level of security.
To ensure that data being sent from the client is secure, we support the use of either SSL or a VPN tunnel, which protects data in transit from eavesdropping, intentional or otherwise.

Honorable Mention: Extensibility

It’s worth noting: Because we have an open and extensible platform, there are other security tools and modules you can find in our marketplace. For instance, mSignia can validate app cloning as well as provide a unique secure solution for user authentication.
For readers interested in learning more about how the Appcelerator Platform can help support your enterprise mobility initiatives, you can register for our monthly seminar, here.
No matter what type of security needs your organization has, we are here to help you build world-class mobile experiences while keeping your apps and data secure.