Not enough security standards at any market place can make it difficult to manage security controls within an application level. Using a strong security checklist in position not just improves app security though the ecosystem active in the development process, too. Also, robust security standards and well set guidelines differentiate a platform through the others.
This checklist will help you be a leading market place in terms of application security.
1. SSL implementation check
Checking SSL implementation is the vital thing to many people apps. This protects the app from MITM attacks as well as secures communication involving the mobile app and server.
2. Sensitive information management at client side
An app should not store sensitive information like encryption keys, username, passwords in shared preferences, files etc in local pool or memory. In case a credit application stores sensitive information within the database, encrypting the database with SQLCipher library is advised. Sensitive information should be accounted for as the app is uploaded to the market.
3. Code obfuscation
Strong code obfuscation standards ought to be available. Applications should encrypt or obfuscate the code in order to avoid reverse engineering.
4. Obsolete cryptographic libraries identification
Apps must always utilize latest cryptographic algorithms that happen to be safe and recommended. App developers should avoid using their unique implementation of cryptography.
5. Validation checks at both client side and server side
Sometimes developers perform validations only at the consumer side. This leaves the server vulnerable to MITM attacks. Check for input validations at all possible scenarios.
6. Input sanitisation
Sanitise the consumer inputs to free them from malicious characters. Apps should use whitelisting to create a set of allowable characters.
7. Encode and decode
Apps should make use of a standard encoding for encoding user inputs from client side and implement the decoding mechanism to decode the data at the client that is sent from your server side. All encoding and decoding standards will be tested.
8. Implement checksums and tokens
A finest practice for developers would be to implement checksums on the data that is certainly passed from client for the server to look for the integrity from the data. Implement tokens for protecting the app from CSRF attacks.
9. Secure response headers
Check for implementation of secure response headers.
10. Authorisation testing
Test authorisation at each and every level. Apps needs to have resources with the server side properly configured based on the user roles from the application.
11. Session management
Sessions should be properly implemented to avoid session based attacks. Developers should generate random sessions and ensure the sessions are terminated following a particular interval or after inactive usage. It is important to pay attention to the expiration of sessions after logout or previous session can be used for account takeover.
12. Protect the OS components
A checklist to discover the exported=false for that components in android application if not desired for your other applications to activate together with the components in your app.
13. Implementing password policy
Most mobile apps still make use of weak password policies. By using a minimum password duration of 8 and ensuring that the password contains no less than one numeric, one uppercase, one lowercase, one special character will assure security at human level.
14. Implement Captcha
To avoid brute force attacks, apps should implement reCAPTCHA from google.