Whenever a team is tasked with the development of a mobile application, one topic often is greatly underrated or simply not dealt with for other reasons like laziness or a deep dislike of related activities: application security.

Of course, somehow everyone knows that appropriate application security is a must-have, and sometimes a team just can't find a good approach on how to deal with it. Let me give you some snippets of inspiration in this regard here:

Regardless of the application technology chosen (web, hybrid, cross-platform), a mobile device must always be considered insecure. While not prominently visible to the end user, the communication between the (mobile) frontend and the backend needs to be secured against common and application-specific vulnerabilities.

Threats catalogue

Before a team can take measures in terms of application security, potential threats first need to be identified. This is typically done by means of compiling a threats catalogue listing potential threats from different categories like e.g.

  • Organizational shortcomings
  • Human failure
  • Technical failure
  • Force majeur (if applicable)

Keep in mind that security risks can be induced both, externally and internally. Also, they can be deliberate or accidental in nature. All those factors need to be considered when putting together the list of potential threats.

Security mechanisms/features

Once an initial version of the threats catalogue has been created, the team can go over it and see what can be done to address which risk. It helps to prioritize corresponding tasks by factors like “severity of consequences” and “likeliness to happen”.

Security is not a one-time task

It goes without saying that the topic of security must accompany the entire life cycle of an application. It is not something you get done once and forever.

  • Every iteration shall have a task to answer the question “are the planned changes/enhancements likely to induce new security risks?”
  • As a team, make sure to define a recurring task “threats catalogue update/revision”.

Obviously, those are just some examples of what should be taken into consideration. It is always a good idea to talk to other teams and find out how they have organized their work in this regard.

Stay secure! 🔐