Challenges engulfing mobile apps development and strategies


Mobile apps proliferation has undoubtedly created income for both developers and users. Take for example Mobile money transfer platform that has created millions of jobs in East Africa. Think of how much governments are saving for not printing money as more and more businesses are embracing cashless transaction. In Kenya, Uganda and Tanzania one can literally pay for anything whether it is a service or product with mobile money transfer platform. However, there are so many challenges that come with mobile development strategies and all are important. As an app developer it’s better to leverage the Permissions Model Used by the operating system whether it’s Android, Windows OS etc. In most cases, permission model used by most mobile operating systems are considerably strong on the base device. The permission models used by Android and iOS are good because the apps are isolated from each other and therefore the developer should be able to leverage as much as possible. In my experience, it is much easier to create a mobile apps that is granted access to the entire Operating System instead of taking the time to figure out which services, binaries, files, and processes it actually does need to function.

Under most circumstances, the security architecture of mobile devices will not let the application have such access so easily and a developer should be extremely careful by leveraging the permission model by the mobile operating system that ensures application plays by the rules. The other one is the least privilege model that should is used to develop application on a mobile device in a process that involves asking for what is needed by the application and amount of services, permissions, files, and processes the application will need and limit the application to those items. A good example is where an iPhone app does not need access to the camera on the iPhone and under all circumstances it should not grant itself access to the process that controls the camera. Other main problem that concerns me most is what we programmers call Sensitive Information Properly also known as SIP. I always encourage developers not to store sensitive information in clear text on the device. A competent developer should make good use of native encryption resources available on the major mobile devices, including the iOS and Android that should be leveraged. In fact nowadays most platforms provide the ability to store sensitive information in a non-clear-text fashion locally on the system and those features enable applications to store information properly on the device without needing third-party software to implement the functionality.

Mobile Application Security is not negotiable at all. An app developer should comply with application’s Code even if it does not make the code more secure. Australia just published new guidelines that most people hope will bring compliance to another level http://www.contadorharrison.com/new-australia-mobile-app-development-guidelines-published/. The new guidelines allows users to know that an app has followed the practices required by the device’s application store like Apple’s app store and Google Play stores among others. Seasoned developers knows very well that, RIM’s BlackBerry and both Apple’s iOS have specific processes and procedures that must be completed before an application is published through their stores and often it requires application signing. When an app is going to perform in sensitive areas such as needing full access to the device, the appropriate signatures are required to complete actions and in case an application is not signed at all, it will have a much reduced number of privileges on the system and will be unable to be widely disturbed through the various application channels of the devices. Depending on whether or not the application is signed, or what type of certificate is used, the application will be given different privileges on the operating system.

There is also need as an app developer to focus on Secure and Strong Update Processes. Contador Harrison working experience shows that a secure update process needs to be figured out because an app not fully patched is a big problem for the application. The main idea behind this is to create a process where an application can be updated quickly, easily, and without a lot of bandwidth. If you ignore, it can balloon into a big problem if updating software after it lands on a mobile device proves difficult. Mobile application security represent the current wave of technologies as that has become the default computing method such as e-mail, online shopping, gaming, and even video entertainment. In developing regions of Africa, Brazil, India and China and Middle East mobile phones are the primary computing device in the household, not the personal computer like the case in developed Western World. One of the most interesting thing is that mobile migration has involved new hardware like iPhone 4,5 and now 5S , Nexus S, Samsung Galaxy S3 & 4 series, etc, new software, and new applications across the platforms which has brought whole new world of security challenges to app developers.

This as we have witnessed has become a new green field for attackers and fraudsters. Security threats that previously did not exist have become the norm especially on Google Play http://www.contadorharrison.com/malware-targeting-android-devices-on-the-rise/ . A developer should also understand the Mobile Browser’s Security Strengths and Limitations. While writing an application that will leverage the mobile browser, developer need to understand security strengths and limitations. One should be able to understand the limitations of cookies, caching pages locally to the page, remember password check boxes, and cached credentials. It is critical for developers to understand security guarantees the mobile browser can provide the web application and then plan appropriately for any gaps. When a security expert demonstrated how to hijack a plane using Android app http://www.contadorharrison.com/hugo-teso-demos-planesploit-android-app-airplane-hijack/ it left a lot to be desired. As a mobile apps developer, I realized despite the advance in development process some developer’s applications have “read-only” support and therefore, the user can access the mobile HTML page of the application with an option to view its contents. The user can add, update, or delete any information in this site unlike the case before when it was probably designed in mind that many mobile browsers and their devices are wildcards right now and anything more than read-only access would pose too high a security risk. While am developing an application, my security book usually is filled with pages and pages of threats, exploits, and vulnerabilities and each of those cases, I do understand the risks to a given technology or topic. Threats to mobile devices and their apps are very real and it is important to understand which ones matter to a given application.

My acquired knowledge has taught me the best way to start this process is to enumerate the threats that are real, design mitigation strategies around them, and note the others as accepted risks. This process is well-known in developer’s circles as a threat model for mobile application although the threat model should not be too exhaustive. Instead, it should allow app developers to understand all the threats to the system and enable them to take action on those that are too risky to accept. Use of secure and intuitive mobile URLs is equally important and must be adhered to all the time. I have dealt with login pages optimized for mobile web browsing but however, additional login pages and domains where users enter credentials gives the users a confusing experience. Such a move could be disastrous to anti-phishing especially where some companies use third parties to host their mobile websites and such sites stem from that third party’s domain, not the company one. I would like to conclude by saying that although the use of secure storage is imperative and implementing it on a mobile application for the iOS will always be different than on Android or Windows. Therefore, a developer should seek advise on each platform. Overall, mobile application security has so far proved to be an interesting industry to follow, and my blog was to help developers along that way.

Comments

Post a Comment

Popular posts from this blog

2013: The year of mobile photography

Today is the 366th day of 2012 and as we wind up, millions of pictures will be taken and shared on social media platforms like Facebook and Twitter by people across the world. Young and old alike will take more photographs than any new year celebration before and I bet big that traditional camera makers will miss out on a bigger share of the love. The latest research has found smartphone as one of the two popular devices used for taking pictures together with traditional cameras and is considered to be a bigger motivator for amateur photographers irrespective of the age and gender. Some studies have been quoted as saying that eight in every ten smartphone users take at least one picture a week on their phone, while less than half who use a point-and-shoot camera take pictures at the same frequency.This year, analysts believe that majority of people take pictures with a smartphone with less than a third taking pictures with a digital single lens reflex while a quarter of i...
Read more

Telecoms in East Africa should look to data for mobile growth

Mobile network operators in East Africa should look to data traffic growth and increased data prices as a means of arresting voice revenue decline in one of the fastest growing mobile market in sub Saharan Africa. Over the last few months, a couple of operators have been sending pricing signals to customers to help manage this finite resource. Unlike two years ago, there is a clear movement towards data usage among users in the four member states of East African community namely Kenya, Uganda, Tanzania and Rwanda where customers are using less mobile voice and SMS services. The loss of SMS service business is fatal to mobile operators and is highly attributed to the rise of over the top apps such as WhatsApp and iMessage that have become a hit with mobile subscribers in the region. Such apps have provided rich communications over a data connection, allowing customers to forgo SMS use. Customers have an economic incentive to use over the top apps...
Read more

Diabetes rising among Africa’s young adults

A group of software developers in Africa are developing mobile health apps among them application that will help monitor diabetic patients. Their interest in diabetes monitoring apps came after Doctors in Africa warned several years back that diabetes is on the rise among young people in the continent, attributable largely to sedentary urban lifestyles and increasingly high levels of obesity. An estimated 29 percent in urban areas and 14 percent in rural areas suffers from the disease, most of them young adults, while 36 percent are at high risk of getting it, according to a study conducted last year. That figure is up from estimates of 2.4 percent in 1989 and 0.6 percent in 1979. The study also showed that Kinshasa, Johannesburg, Nairobi, Lagos, Cairo and Dar Es Salaam had the highest prevalence of obesity in the continent, with 51 percent of the 1,000 men and women in the 22 -35 age range surveyed falling under that category. Doctors blame the high level of diabetes in the capital a...
Read more