The growing number of cloud-based services for mobile apps is a godsend to developers. But what are the security ramifications? Here are four things to consider
Mobile apps are a natural stepping stone to the cloud. Because developers can leverage cloud-based services for tasks such as logging, notifications and billing and payments, they can focus on the app client logic and leave the server-side features to the cloud. The result is faster delivery and better apps.
But what makes it faster and cheaper may also make it riskier: Mobile apps are increasingly dependent on cloud services that the apps team didn’t build, the organization doesn’t own, and the ops team doesn’t even know about.
Therefore, to create effective mobile apps, you must trust in the cloud.
Because your apps teams take chances on mobile security, how do you mitigate risk when using third-party services in the cloud? Below are four things to consider:
Before you can consider the quality of someone else’s security, you must get your own in order. Organizations are accustomed to asking, “Will the application work in production?” and “Will it scale and perform well under load?” But now they must ask a third question: “Will it be secure?”
Now that you’re asking questions about your applications’ security, you’d do well to actively improve it. Ensure that your developers are coding with security in mind, starting before they ever write that first line of code. Aside from the security benefit, you will also increase development productivity, because you’ll avoid the rework that inevitably comes when you add in security after the fact. And with the time you save, you can spend valuable development resources and time on innovation instead of firefighting, troubleshooting and fixing vulnerabilities.
Next, you’ll want to ensure that you’ve secured the entire mobile stack, from the mobile device to the server, including the communications between the two. Know where you’re using credentials and sensitive data; track them through the device, network and back end; then test all of those components for security.
Use software that can help you pinpoint with line-of-code precision the root cause of potential vulnerabilities in apps developed for the most commonly used smartphone platforms. Use static analysis tools during development, and run dynamic security analyses to security-test the web services that will interact with your mobile apps.
As your developers continue to take advantage of cloud services for mobile apps, you might wonder how you can be certain that it’s OK to trust a particular cloud service. The answer is simple: You can’t be certain. That’s why you have to do what you can on your side.
The most recent issue of the Discover Performance newsletter (from which this post was adapted) has more insights and best practices about mobile app security. Sign up today to receive the newsletter and get more articles that can help you turn IT performance into business success.