Smartphone Apps

At the recent OWASP AppSec EU conference, Dan Cornell provided an update on the technical issues and risks posed by the use of applications on smartphones, building upon his talk last year. The talk focused on the security testing side and provided a great introduction to this area and is well worth a read if you are involved with mobile applications.

From a wider Information Security focus and as an aid to anyone dealing with the implementation of smartphone based apps, I have developed a short questionnaire that can be used to gain an initial understanding of the application and highlight any specific areas of risk (such as sensitive data being stored on the smartphone without encryption!). This can then be used to conduct more targeted assurance activities.

The Questionnaire

Data Related:

• Could you please describe the type of data involved with this app?
• Could you please confirm if any information will be stored on the device?
• If stored, will the data be encrypted within the app itself?
• Does the app encrypt data during transit?
• If so, what method of encryption is used?

App focused:

• What platforms will be supported?
• Where will the app be available for download?
• Does the app synchronise data to other end devices (such as via iTunes to user laptop)?
• Does the app use 3rd party active content?

Supporting Infrastructure:

• Please describe how the app will be updated / content managed?
• Will web services be used to manage the app?
• If so, will the web services infrastructure sit within owned networks?

Technical Assurance:

• Will the app be subjected to a security code review as part of development process?
• If so, will the report be shared?
• Will the app be subjected to security testing as part of the development process?
• If so, will the report be shared?