It’s been 13 years since the first iPhone was introduced and caused people to swoon at the idea of a powerful hand-held device that could serve both personal- and work-related needs through a limitless selection of applications. Since that time, a great deal of our work life and home life has become centered on our mobile devices and we regularly use applications for reporting expenses, accessing work-related data, paying bills/banking, shopping, entertaining ourselves, and even caring for our health. For application developers, the applications are a critical link from the business to their employees and customers. Sensitive corporate and personal data flow through these applications and our mobile phones daily. For many people, the mobile phone has become THE work phone, THE home phone, and an inseparable technological appendage that reflects their persona and interests.
As the mobile phone has taken on more importance, the need for mobile application security has increased dramatically. In fact, according to an IDG research report, 74% of respondents report their organizations have experienced a data breach as a result of a mobile security issue, such as mobile apps containing malware, apps with security vulnerabilities, or unsecured Wi-Fi connections.
The importance of mobile applications, as well as the unique mobile threat profile caused the Open Web Application Security Project (OWASP) foundation to publish the OWASP Mobile Top 10 list to help developers build more secure mobile applications (see my last post for a history of the OWASP Mobile Top 10). Today the Mobile Top 10 is a vital tool that helps developers create more secure applications. Let’s explore how the latest OWASP Mobile Top 10 can help you develop safer software.
How to Best Use the OWASP Mobile Top 10 List
The most important way to use the Mobile Top 10 list is to educate your development team and ensure that your organization includes security throughout its software development lifecycle. Make sure you view the OWASP Mobile Top 10, however, as just a starting point for developing your secure application. Its main goal is not to give specific threats you should address, but rather to emphasize the major areas to consider when developing your security strategy and implementing it. Use this list as a guide for developing your own comprehensive security strategy.
In addition to the Mobile Top 10 list, OWASP also provides the following materials that can be used to create and implement your security strategy:
*Mobile Application Security Verification Standard (MASVS) – This document helps development teams determine the security requirements for their application. It is used during the early stages of development and outlines design considerations.
*The OWASP Mobile Security Testing Guide – This manual outlines a testing methodology to evaluate the security posture of mobile applications. It contains testing processes and techniques, test cases, and reverse engineering controls.
*The Mobile AppSec Checklist – The checklists contained in these Excel files allow you to map a given version of the OWASP Mobile Security Testing Guide (MSTG) to the OWASP Mobile Application Verification Standard (MASVS). This provides a clear rubric for security testing of mobile applications.
Together the OWASP Mobile Top 10 and these tools represent a powerful, well-thought structure for developing mobile application security. Use these tools from the beginning of your development process through to the end of your testing and release process to ensure your application is protected by a comprehensive security plan. Also I recommend you check out Guardsquare’s interesting post on how runtime application self-protection (RASP) and code hardening can defend against the key mobile application security resilience risks outlined by OWASP.
Protection for Your Users, Your Data, and Your Brand
As mobile phones take an ever more important role in our work and home life, the importance of mobile application security has never been higher. In fact, the 2020 McAfee Mobile Threat Report, stated that malicious apps increased by 30% year-over-year from 2018 to 2019. The OWASP Mobile Top 10 may have gotten started later than the broader OWASP Top 10 list for application development, but its value in the threat-filled world in which we live can’t be denied.