Mobile devices and the apps that run on them demand high levels of security. The devices
themselves are easy to lose and steal, and are widely used for activities that involve sensitive
data. What's more, organizations that build mobile apps -- even those with effective enterprise
mobility policies in place -- cannot fully control the devices they run on. All this has huge
implications for mobile app security. In this article, two experts offer advice to developers and
testers engaged
in mobile projects.

Don't allow the app to save passwords. With mobile apps, developers seek to strike a
balance between protecting
sensitive data and providing better usability, said Brian Shura, president of App Security
Consulting in San Jose, CA. But effective
mobile app security strategies demand that you err on the side of protection, he said. Even
though keyboard and screen size constrain the usability
of mobile devices, apps that run on these devices should require users to enter their passwords
every time they log on. From the get-go, the app should be designed in such a way that it cannot
store passwords, said Shura.  With desktop apps, allowing users to save passwords to speed up
future log-ins is reasonable. In mobile apps, it's not.

Encrypt data in transit. This seems obvious, said Frank Kim, founder of application
security consultancy ThinkSec. But in the process of
conducting security audits, Kim has seen his share of mobile apps that overlook this simple step.
"In the rush to deliver mobile apps, developers are making a lot of the same mistakes they made
with early Web apps."

Conduct source code reviews. Source
code scanners, available from open source projects and commercial toolmakers, are a key
component of mobile
app security projects (as well as other development projects), said Shura. These tools scan
apps to find code that is vulnerable to SQL injection and
other attacks and suggest fixes to make code more secure. For the iPhone operating system (iOS),
you are typically scanning Objective-C code; for the Android operating system, it's Java, said
Shura. If you have engaged an outside firm to security-test your app, keep in mind that you
have to supply source code in order for the firm to address this particular aspect of mobile app
security, said Shura. If you don't, security
testing can still be done, but it involves reverse
engineering the app and doing black
box testing, also known as dynamic testing.   

"Listen" to the traffic that flows between the mobile app and Web server. Also valuable
for mobile app security are tools that let you view
Web traffic, said Shura. "Manually analyze the traffic and look for method calls that could be
manipulated." 

Store as little data as possible on the mobile device. "Think of your mobile app as a
low-trust environment," said Kim, curriculum lead for application security at security training
organization The SANS Institute. "Ask yourself: 'Does the app
really need data there?'" Often, you will find that it doesn't, he said. Again, you are striking a
balance between usability and security, erring on the side of security.

Contain sensitive corporate data. Container techniques can help ensure mobile app
security by downloading sensitive corporate data into a separate container in the mobile app, said
Kim. That way, the app treats corporate as more sensitive than other data, such as pictures of your
kids, he said.