Insufficient security standards at any market can make it difficult to manage security controls in an application level. Having a strong security checklist in position not simply improves app security but the ecosystem active in the development process, also. Also, robust security standards and well set guidelines differentiate a platform from the others.
This checklist can assist you turned into a leading industry when it comes to application security.
1. SSL implementation check
Checking SSL implementation is the vital thing to a lot of apps. This protects the app from MITM attacks and also secures communication involving the mobile app and server.
2. Sensitive information management at client side
An application should not store sensitive information like encryption keys, username, passwords in shared preferences, files etc in local pool or memory. In case a credit card applicatoin stores sensitive information within the database, encrypting the database with SQLCipher library is required. Sensitive information must be taken into account while the app is uploaded towards the market place.
3. Code obfuscation
Strong code obfuscation standards needs to be set up. Applications should encrypt or obfuscate the code to prevent reverse engineering.
4. Obsolete cryptographic libraries identification
Apps would be wise to utilize latest cryptographic algorithms which can be safe and recommended. App developers must avoid using their particular implementation of cryptography.
5. Validation checks at both client side and server side
Sometimes developers perform validations limited to the consumer side. This leaves the server prone to MITM attacks. Check for input validations you can scenarios.
6. Input sanitisation
Sanitise an individual inputs to free them from malicious characters. Apps should use whitelisting to generate a set of allowable characters.
7. Encode and decode
Apps should always utilize a standard encoding for encoding user inputs from client side and implement the decoding mechanism to decode the information in the client which is sent through the server side. All encoding and decoding standards will be tested.
8. Implement checksums and tokens
A best practice for developers is to implement checksums around the data that's passed from client on the server to look for the integrity from the data. Implement tokens for protecting the app from CSRF attacks.
9. Secure response headers
Search for implementation of secure response headers.
10. Authorisation testing
Test authorisation at each and every level. Apps should have resources with the server side properly configured in line with the user roles in the application.
11. Session management
Sessions should be properly carried out avoid session based attacks. Developers should generate random sessions and be sure the sessions are terminated after a particular time frame or after inactive usage. You will need to search for the expiration of sessions after logout or previous session can be used for account takeover.
12. Protect the OS components
A checklist to check the exported=false for your components in android application if it's not desired for that other applications to activate with all the components with your app.
13. Implementing password policy
Most mobile phone applications still make use of weak password policies. By using a minimum password period of 8 and ensuring the password contains one or more numeric, one uppercase, one lowercase, one special character will make sure security at human level.
14. Implement Captcha
To prevent brute force attacks, apps should implement reCAPTCHA from google.