The UK’s National Cyber Security Centre (NCSC) has published a series of new application security recommendations for businesses that are seeking to develop and deploy apps on devices handling delicate data.
Although the guidance, published May 10, is aimed primarily for risk assessors and application developers, the paper provides valuable insights for organisations running applications on Apple, Android and Windows.
Applications that store, process, handle or have network access to sensitive information should be developed with security in mind from start, and should be audited and assessed before use, the NCSC emphasised.
The report comes as security becomes ever-more important, amid regular stories on poorly configured cloud buckets, apps that siphon data of smartphones and the discovery of vulnerabilities in email clients for PGP encryption.
General Development Guidance Content
On the general guidance of this research, NCSC describe secure data handling, application hardening and third party applications as three security mechanisms that should be considered in the application platform.
Secure data handling ensures data is not revealed in any way by taking data storage API’s, cryptography, data access authorisation, secure data transmission and session handling into consideration.
Application hardening involves developing the code so vulnerabilities such as buffer overflows do not occur; this is done through stack protection, code obfuscation and jailbreak and root detection.
The second part of the guidance is the Android Application Development Guidance which covers four sections specifically for all Android applications.
This firstly covers secure Android application development which explains how successful datastore hardening and network protection can be achieved by implementing secure data storage and server-side controls.
Questions regarding important factors such as secure data transmission, IPC mechanisms, binary protection, client-side and server-side controls are answered in-depth. The final sections outline a range of security requirements, considerations and recommendations which show a range of technical best practices for Android.
The Apple iOS Application Development Guide is the third part of the collection which outlines similar factors to Android such as secure development, questions for developers and secure deployment of iOS applications. However, Apple focuses on different mechanisms such as App Transport Security (ATS), Automatic Reference Counting (ARC), iOS Keychain API and iOS Data Protection API due to its different ways of functioning in comparison to Android.
The final report is the Windows Application Development Guidance which also includes similar application development advice as Android and Apple iOS which consists of secure development, questions for developers and secure deployment. However, this report focuses on more comparable features to Android as it discusses datastore hardening, network protection, authentication, data storage, binary protection, client-side and server-side controls with the Universal Windows Platform (UWP).
All-in-all, the Generic Application Development Guide by NCSC will be able to provide developers and information security professionals with key information that they may not have considered before and will ultimately, improve application security development, deployment and use.