View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

NCSC Publishes New Application Security Guidance

Application security development recommendations for Android, Apple and Windows come as data security seems ever-harder to ensure.

By Shrina Gohil

The UK’s National Cyber Security Centre (NCSC) has published a series of new application security recommendations for businesses that are seeking to develop and deploy apps on devices handling delicate data.

Although the guidance, published May 10, is aimed primarily for risk assessors and application developers, the paper provides valuable insights for organisations running applications on Apple, Android and Windows.

Applications that store, process, handle or have network access to sensitive information should be developed with security in mind from start, and should be audited and assessed before use, the NCSC emphasised.

The report comes as security becomes ever-more important, amid regular stories on poorly configured cloud buckets, apps that siphon data of smartphones and the discovery of vulnerabilities in email clients for PGP encryption.

UK consumers trust biometrics over passwords

General Development Guidance Content

On the general guidance of this research, NCSC describe secure data handling, application hardening and third party applications as three security mechanisms that should be considered in the application platform.

Secure data handling ensures data is not revealed in any way by taking data storage API’s, cryptography, data access authorisation, secure data transmission and session handling into consideration.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Application hardening involves developing the code so vulnerabilities such as buffer overflows do not occur; this is done through stack protection, code obfuscation and jailbreak and root detection.

Android Guidance

The second part of the guidance is the Android Application Development Guidance which covers four sections specifically for all Android applications.

This firstly covers secure Android application development which explains how successful datastore hardening and network protection can be achieved by implementing secure data storage and server-side controls.

Questions regarding important factors such as secure data transmission, IPC mechanisms, binary protection, client-side and server-side controls are answered in-depth. The final sections outline a range of security requirements, considerations and recommendations which show a range of technical best practices for Android.

Apple Guidance 

The Apple iOS Application Development Guide is the third part of the collection which outlines similar factors to Android such as secure development, questions for developers and secure deployment of iOS applications. However, Apple focuses on different mechanisms such as App Transport Security (ATS), Automatic Reference Counting (ARC), iOS Keychain API and iOS Data Protection API due to its different ways of functioning in comparison to Android.

windows paintWindows Guidance

The final report is the Windows Application Development Guidance which also includes similar application development advice as Android and Apple iOS which consists of secure development, questions for developers and secure deployment. However, this report focuses on more comparable features to Android as it discusses datastore hardening, network protection, authentication, data storage, binary protection, client-side and server-side controls with the Universal Windows Platform (UWP).

All-in-all, the Generic Application Development Guide by NCSC will be able to provide developers and information security professionals with key information that they may not have considered before and will ultimately, improve application security development, deployment and use.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.