Mobile app security flaws, especially privacy-based ones, tend to make a very large splash in the media. Significant brands such as Delta Air Lines, Starbucks, Pandora Media and others have released mobile applications that customers and technology pros later discovered were capturing private user data. Sometimes these companies had no idea they were gathering the data because they used third-party advertising libraries that were capturing the data without the original developers having any knowledge of the activity.
Even high-profile security conferences are not immune to privacy mishaps. In February 2014, the RSA Conference released a mobile application that inadvertently and insecurely stored the entire database of attendees on the device, resulting in data disclosure on every attendee of the conference.
Security and privacy issues can have a major impact on customer acceptance of new mobile apps, your company’s reputation, and even revenue. You don’t always have a second chance to get it right with your customers, so it pays to develop secure mobile apps from the beginning. But security is more than just purchasing the latest next-generation solution to the most recent threat. Likewise, security in mobile application development runs much deeper than simply conducting a penetration assessment of your client application and server-side service before you place them into production.
There are numerous Top 10 lists to help development teams understand the technical threats to their mobile applications. The Open Web Application Security Project (OWASP) maintains one of the most prominent lists. However, the most notable deficiency with the OWASP list is that education and understanding of technical threats are only a small piece of the overall puzzle of how to create secure applications. Nontechnical risks are as important as the technical details of how an exploit works. Often, fixing issues among the people and within the process of the development organization can go a long way to limiting the number of technical risks that make it into the final code.
To identify the Top 10 most important nontechnical security issues in mobile application development, my colleagues and I interviewed some of the most prominent application security consulting and research firms to understand the required knowledge level, risks and potential fixes for implementing security in mobile development.