1 Reply Latest reply on Jan 22, 2015 2:11 PM by Jon Tara

    App security best practices

    Hector Meza

      I have had several request for application best practices as it pertains to security.   Security is a very complicated topic and mobile security typically touches many facets of an enterprise.   There are many different application use cases and differing application methodologies (Web, Native, Hybrid, etc) not to mention various deployment options (Corp asset, BYOD, WAN, WLAN, etc.  Also recognize that mobile platforms come in many flavors with varying degrees of capabilities.  The attached document is intended to provide some thoughts around application security. The document is not intended to be a complete guide but should help as a reference.  Please feel free to provide feedback and recommendations on improvements.

        • Re: App security best practices
          Jon Tara

          Thank you Hector, this looks great!

           

          I do see one missing point that should be covered, and that is proper flow of oAuth authentication. The INTENDED flow is that the third-party site where authentication is made should be opened in the trusted, system browser. (e.g. NOT within the WebView within the app itself.)

           

          This way, users are assured that it is simply not possible for the app to capture the user's authentication information (e.g. user ID, password).

           

          After authentication, the user is directed back to the app with a token. Every mobile platform today supports this redirection, as does Rhodes.

           

          I see this often mis-used in apps, where the authentication is done within the app itself, and this completely misses the point of oAuth.

           

          The risks include unfavorable user backlash (from savvy users), violation of third-party terms of service and subsequent denial of service, violation of App Store policy resulting in rejection/ejection of the app or banning of the developer, HIPAA or other applicable standard violation, lawsuits, criminal prosecution, etc. etc. etc.

           

          Separately, do we have an example showing proper oAuth flow? It not, it would be very handy to have.