37 questions you should ask your developers about app security

In an earlier article we talked about threat intelligence and securing your code against hackers from the start. That article focused on applying a subset of OWASP guidelines to web applications and backends. In this article we are going to do something similar for mobile apps.

We’re going to give you an overview of OWASP’s mobile application security guidelines using example apps and giving you questions you can ask your developers to work out how secure your app is.

Security is paramount for mobile apps. Unlike your backend servers, you can assume your mobile app is in the hands of bad actors. And if it is not, it might be sharing a phone with malware that would love to extract any useful personal or financial information your app might collect.

Let’s start with the example apps. They were “designed” to have different requirements, but they all share best practices for security.

Our Three Imaginary Mobile Apps:

• Artisanity – A niche ecommerce app connecting artisans with customers seeking unique, handcrafted goods.
• HomeStream – A proptech app streamlining communication between real estate agents and potential buyers, offering property listings, scheduling, and messaging, as well as access to documentation.
• GiveBack – A fintech app facilitating micro-lending and borrowing among community members, inspired by traditional Susu and Tanda practices.

(Any resemblance to existing apps or apps with the same name is purely coincidental. Naming is hard.)

Introducing the OWASP MASVS (Mobile Application Security Verification Standard)

The OWASP MASVS is divided into 8 groups:

1. MASVS-STORAGE: Secure storage of sensitive data on a device (data-at-rest).
2. MASVS-CRYPTO: Cryptographic functionality used to protect sensitive data.
3. MASVS-AUTH: Authentication and authorization mechanisms used by the mobile app.
4. MASVS-NETWORK: Secure network communication between the mobile app and remote endpoints (data-in-transit).
5. MASVS-PLATFORM: Secure interaction with the underlying mobile platform and other installed apps.
6. MASVS-CODE: Security best practices for data processing and keeping the app up-to-date.
7. MASVS-RESILIENCE: Resilience to reverse engineering and tampering attempts.
8. MASVS-PRIVACY: Privacy controls to protect user privacy.

Let’s go through them quickly, covering what you should be concerned about and what to ask your developers to confirm it is being addressed.

MASVS-STORAGE: Secure Data Storage

The most secure data is the data you never store. The second most secure data is data that you don’t store on a device you don’t control. Always ask if it’s necessary to store the data, and if you have to store it, what is the most secure option. 

Everyone wants to store credit card data because it makes purchase UX so much smoother. But no-one wants to become a target for hackers who love extracting thousands of active, verified credit cards. 

The same goes for personal information.

How the apps might approach compliance:

• Artisano: May store user preferences or shopping cart data locally. It needs to ensure that no sensitive payment information is stored on the device, or if it is, that it’s properly encrypted using the platform’s secure storage APIs.
• HomeConnect: It should secure any stored personal or confidential information about agents and buyers using encrypted local databases or secure file storage methods provided by iOS and Android. For documents, a choice would have to be made between providing view-only or download-for-use access. If view-only they may choose to render document pages one at a time from the server and not have any on-device cache. 
• MicroFund: Handles sensitive financial and personal data. It’s crucial to ensure all locally stored data is encrypted and access is tightly controlled, leveraging secure storage APIs provided by both platforms.

Questions to Guide Decision Making:

1. What types of user data will our app store on the device?
2. Is any sensitive personal or financial information being stored locally?
3. How are we protecting stored data against unauthorized access?
4. Can we minimise local storage by keeping data on secure servers?
5. Are there scenarios where storing data locally is unavoidable? If so, what system APIs or third party libraries are we using to provide secure storage?

MASVS-CRYPTO: Secure Use of Cryptography

You need to use up-to-date, strong encryption methods to protect data both when stored and during transmission, and manage encryption keys securely. This is not a situation where you can build your own solution. 

How the apps might approach compliance:

• Artisano, HomeConnect, MicroFund: All apps should ensure that any sensitive data, like user credentials or payment details, are encrypted during transmission using TLS. For any sensitive data stored locally, they should all use the platform’s secure storage APIs. Proper key management practices are essential—avoiding hard-coded keys and securely handling any cryptographic keys.

Questions to guide decision making:

1. Are we using industry-standard encryption methods to protect data?
2. How are we securely managing and storing encryption keys?
3. Is all sensitive data encrypted during network transmission?
4. Do we need to encrypt data stored locally on user devices?

MASVS-AUTH: Secure Authentication and Authorization

Implementing secure methods for user login and verifying that users have permission to perform certain actions within the app is critical. On both iOS and Android, secure authentication can be implemented using standard protocols like OAuth 2.0 and leveraging platform features for handling credentials securely. Both platforms support biometric authentication (like Touch ID and Face ID on iOS, and Fingerprint or Facial Recognition on Android) through secure APIs.

How the apps might approach compliance:

• Artisano, HomeConnect, MicroFund: All apps should use secure authentication methods, possibly offering biometric login options provided by the platforms. Credentials should be handled securely, and any sensitive actions within the app may require re-authentication. 
• HomeConnect: Implementing role-based access control will be necessary to restrict certain features based on whether the user is an agent or a buyer.
• MicroFund: Might want to require re-authentication using platform biometrics to confirm transactions.

Questions to guide decision making:

1. How will users authenticate within the app?
2. Do we need additional authentication steps for sensitive actions?
3. Are we using secure protocols for handling authentication data?
4. Do different user roles require different levels of access?
5. Should we implement multi-factor authentication for added security?

MASVS-NETWORK: Secure Network Communication

This should now be a given. Though you can make an argument that if your app relies on a large volume of static media, architecting your backend to deliver media via dedicated servers (or cloud services like Amazon S3) using a simpler unsecured protocol like HTTP can provide a small reduction in management overhead.

But, it is better to just have all track use secure network protocols like HTTPS/TLS. Both iOS and Android support SSL/TLS pinning if necessary and provide networking libraries that handle security appropriately.

How the apps might approach compliance:

• Artisano, HomeConnect, MicroFund: All apps should use HTTPS with TLS for all network communications to protect user information. They need to ensure that no insecure connections are made. If additional security is needed, such as certificate pinning, it can be implemented using platform-specific libraries or configurations to verify server identities beyond standard measures.

Questions to guide decision making:

1. Are all network communications encrypted using HTTPS/TLS?
2. Have we ensured that there are no insecure connections within the app?
3. Do we need to verify the identity of servers we communicate with beyond standard measures?
4. Are there any additional steps we should take to secure data transmission?

MASVS-PLATFORM: Secure Interaction with the Mobile Platform

Your app needs to safely interact with the device’s operating system and other apps, ensuring features like notifications and data sharing don’t expose sensitive information. On both iOS and Android, there are guidelines and APIs for secure inter-process communication (IPC), handling intents (Android), or URL schemes (iOS), and configuring notifications to protect sensitive data.

How the apps might approach compliance:

• Artisano, HomeConnect, MicroFund: All apps should ensure that any data shared through IPC mechanisms is properly secured, and sensitive information is not exposed in notifications or other UI elements that might be accessible without unlocking the device. 

Questions to guide decision making:

1. Does our app expose any functionality or data to other apps?
2. Are we securely handling features like notifications and data sharing?
3. Could sensitive information be unintentionally exposed through the user interface?
4. Do we need to limit access to certain device features or permissions?
5. Are there platform-specific security considerations we need to address?

MASVS-CODE: Code Quality and Security

It’s important to ensure that your app’s code is free from common vulnerabilities, follows secure coding practices, and stays updated with security patches. On both iOS and Android, this involves using secure coding standards, conducting regular code reviews, and keeping third-party libraries up to date. We covered some of the tools for this in the article on verifying the third party code your app will use.

How the apps might approach compliance:

• Artisano, HomeConnect, MicroFund: All apps should follow secure coding practices, validate and sanitise all user inputs, and ensure all dependencies are up to date and free from known vulnerabilities. Implementing a process for timely updates and patches is crucial, as is enforcing a minimum supported platform version to benefit from the latest security features and APIs.

Questions to guide decision making:

1. Are we following secure coding best practices throughout development?
2. Have we validated and sanitised all user inputs and external data?
3. Are all software libraries and components up to date and free from known vulnerabilities?
4. Do we have a process in place to quickly update the app and patch security issues?
5. Are we enforcing a minimum platform version to ensure necessary security features are available?

MASVS-RESILIENCE: Protecting Against Reverse Engineering and Tampering

This is a challenging part of the security stack. It is in reality impossible to stop this from happening. This means you need to ask yourself – what would a hacker gain by having access to the source code of your app?

Every other group in the OWASP MASVS has a role in protecting your business from this situation. This is why data storage choices are important, and why authentication is essential.

There are companies out there offering solutions which obfuscate code, and platforms like iOS try to block access to your app’s code, but there are also companies offering tools to counter these protections. 

How the apps might approach compliance:

• Artisano, HomeConnect, MicroFund: All apps may implement code obfuscation to protect proprietary code and sensitive algorithms. Apps like MicroFund, which handle financial transactions, might have a higher need for anti-tampering measures. Detecting rooted or jailbroken devices and restricting app functionality can stop some bad actors from gaining further access.

Questions to guide decision making:

1. Do we need to protect proprietary code or sensitive algorithms within the app?
2. Are there risks if the app is reverse-engineered or tampered with?
3. Should we implement code obfuscation or other anti-tampering measures?
4. Are we considering the security of the app on compromised devices?

MASVS-PRIVACY: Ensuring User Privacy

Your app needs to collect and use user data responsibly. You should strive to minimise data collection, and provide transparency and control to users over their personal information. Both iOS and Android have guidelines and requirements for privacy, such as the App Privacy Details in the App Store and the Google Play Data safety section. Compliance involves adhering to these guidelines and any applicable data protection regulations like GDPR.

How the apps might approach compliance:

• Artisano, HomeConnect, MicroFund: All apps should collect only necessary user data, provide clear privacy policies, and obtain user consent where required. Users should have control over their data, such as options to delete or modify their information. 
• Microfund: Special attention is needed for this app due to its handling of sensitive financial data. It will need to ensure strict adherence to privacy principles and implement regulatory requirements.

Questions to guide decision making:

1. What user data are we collecting, and is each data point necessary for app functionality?
2. Are we transparent with users about our data collection and usage practices?
3. Do we provide users with control over their data, such as options to delete or modify it?
4. Are we compliant with relevant privacy laws and regulations in our operating regions?
5. How are we ensuring that user data isn’t shared with third parties without explicit consent?

Mobile app security is a headache

Building a secure mobile app is one of those “the devil is in the details” pursuits. But it needs to be done.

For experienced app developers most of the OWASP MASVS is simply how it’s done. But there are strategic decisions to be made, particularly around data – its collection, its storage and its transmission.

Hopefully this guide has given you an actionable top level understanding of mobile app security and provided you with the questions you need to be asking to make sure your app is locked down on launch day.

There are always more details and more questions. If you have any questions feel free to get in touch. We’d be happy to answer them.