4 Security Considerations for Mobile Web Applications

Do you remember the last time you used a payphone to make a phone call? Probably not. Fortunately, there’s the Internet that will allow you to have access to all of the information about a payphone right at your fingertips. If you haven’t already figured it out, the Internet is huge, and having the ability to access it from anywhere is a key component of mobility. With the number of devices that people use to access the Internet, coupled with the number of mobile applications, the mobile footprint seems to grow exponentially. It all sounds really cool doesn’t it? At least until one of the mobile apps that you’re utilizing creates a window of opportunity for a security breach that exposes all of your personal information. Not so cool anymore, right? This mobile explosion has created the need to establish mobile application security best practices and I’ve outlined a few of them below.

Privacy
The first best practice related to mobile application security has to do with security and privacy, basically ensuring that the data coming into your application code is “trusted” information. This means closing potential holes not only in your software code, but also in your hardware. It also means ensuring that you don’t inadvertently open up holes as you try to close others. What exactly does “trusted data” mean? Think of it this way, your code accepts data from everywhere; URL parameters, cookies, browser variables, form fields, databases, or other external data sources. As a developer, you need to ensure that you take all of the right measures to ensure that data from these sources isn’t going to cause your application to crash, display improperly, permit a security breach or allow any other unintended services to be performed. Some common methods of securing your application include data integrity (ensuring data is complete or whole), encryption (making it unreadable without a key), and data validation (validation rules or check routines).

Untrusted Data
Another best practice related to security and privacy has to do with executing untrusted JSON data. No folks, this isn’t “text speak” for the name “Jason”, it’s JavaScript Object Notation. Wikipedia defines JSON as a “lightweight data interchange format.” This format is popular within the JavaScript community and is used for serialization and transmitting data over a network connection. Well then what’s the big deal? This format is often times used as a subset of the JavaScript programming language, which is where the security concerns arise. JavaScript utilizes a built in eval() function to parse JSON formatted data. This is a common practice among many developers today, especially those that are just starting off in the world of programming. If the data that is parsed is not within a single trusted source, the entire eval() technique is open to security vulnerabilities. Utilizing regular expressions to perform pre checks, employing native JSON,or using a new function called parseJSON (), are ways to avoid these security vulnerabilities.

User Awareness & Control
User awareness and control is another best practice. It’s important that your users are aware of all of the asynchronous server-side or Internet based functions that your mobile application performs whether they’re up front and in your face, or behind the scenes. This can often be symbolized by a spinning wheel in the corner of the app. And because these actions may have access to very sensitive user data, it’s important to provide the user with options to control these actions. Some of these “behind the scene” activities may have an impact on the user’s network access. This can be in the form of data charges or battery life. It’s also important to notify the user when their personal or device information is being utilized by a mobile application. This notification should appear as soon as the user enters your mobile application.

Auto Sign-on
And finally, because mobile devices are ultimately handheld devices that make information available anywhere, the use of automatic sign on is strongly encouraged when developing mobile applications. As a user, if I have to provide my user credentials when utilizing your application, the last thing I want go through is having to type my credentials on a dinky little mobile device upon each visit. Having the ability to “be remembered” is a common feature within the mobile application world. However, ensuring that the credentials are encrypted or stored on a secure token is the right way to allow automatic sign on.

As we become a more mature mobile society, security is a crucial factor that should be taken into account as you develop mobile applications. How quickly you can adapt to the changes of the mobile environment will determine your position in the mobile arena. As you develop your mobile application, following simply best practices can go a long way in securing the future of your mobile application.