Writing Secure Mobile Apps

 When building mobile apps, many tend to think that the mobile platform provides the security needed.  We have seen multiple clients come to us for Cybersecurity Verification, only to find that they didn’t follow the basic mobile security practices. There are multiple protections needed of the app, particularly for a medical device. Promenade wrote a blog about this awhile back but being such an important topic that is regularly forgotten, I will reiterate some of the important security controls.

Storage

Make sure stored sensitive such PHI/PII (Personal Health Information/Personally Identifiable Information) is stored encrypted with keys of at least 2048 bits. The tools to encrypt are readily available for the developer; no one needs advanced cypher expertise. But assuming security by obscurity is not a strong position to take, and not justifiable to your regulatory auditor.

 

Note also that the best encryption is only as good as its secure key storage. Creating a great key but storing it directly with the data is just head-scratching. Google’s Keystore or Apples KeyChain should always be used for storing passwords and keys.

 

Network

Ensure all traffic to servers uses TLS.  Use HTTPS, not HTTP and verify it is used under all circumstances. Developers can inadvertently use low level APIs that do not ensure use of TLS. To ensure a secure channel, it is also advised to only use specific Certificate Authorities (CAs) (certificate pinning).

Updates

Allowing your app to run on old versions of the OS makes your app exposed to the known vulnerabilities of that version. Many OS updates fix security vulnerabilities, so make sure your app requires the latest OS version to run.

And it’s not just the OS.  More than 90% of your app is from 3rd party libraries, so regularly review your app’s SBOM (Software Bill of Materials) for known vulnerabilities.

Security is like whack-a-mole; it’s a moving target.  To keep up, you will need to be able to enforce updates to your app appropriately.

 

Code Obfuscation

Code Obfuscation is something that app developers rarely think about but is pretty easy to reverse engineer most apps built. This means the source code can be read directly from the loaded app, and an attacker can see how the internals work.  Being able to view the code is not only a potential loss of intellectual property, but also a security risk. The first step to tampering with an app is understanding it. When doing Penetration tests for clients, we have found all sorts of clear vulnerabilities visible from the reversed engineered code, (including hard-coded passwords and back doors).  Make sure the code is obfuscated to make reverse engineering really hard.

 

Platform Integrity

We expect our mobile OS to be secure, but it is imperative to check for tampering.  If the platform has been rooted or jail-broken, all OS controls, such as sandboxing, biometrics, etc. cannot be trusted.  Your app should do an initial check of the OS integrity, and halt execution if tampering is detected.

 

OWASP Can Help

At Promenade, we develop our apps using the OWASP MASVS industry standard for Mobile Security.  OWASP MAS provides a great, free, online resource for describing mobile vulnerabilities and providing test code and tools to verify they are mitigated.  OWASP MAS covers the topics listed here in much more depth, as well as many more topics.

 

Conclusion

Mobile apps are increasingly a part of medical devices and device manufacturers need to be vigilant in following security best practices. The potential consequences of security breaches have caused regulators and healthcare organizations to require proper security safeguards, including the topics discussed here.  If you need help with any aspect, please reach out to us.

 

 

 

Need help on this topic?
Contact Us
Frances Cohen

Frances Cohen is President of Promenade Software Inc., a leading software services firm specializing in medical device and safety-critical system software. Frances has more than 20 years of experience leading software teams for medical device software. Starting with heart defibrillators for Cardiac Science and following with Source Scientific LLC and BIT Analytical Instruments Inc., Frances has overseen dozens of projects through development and the FDA, including IDEs, 510(k)s, and PMAs.  

Frances has a B.S. in computer engineering from the Technion, Israel Institute of Technology.

linkedin logo
16 Technology Drive, Suite 100
Irvine, CA. 92618, U.S.A.
linkedin logo
linkedin logo
facebook logo
CONTACT US
SUBSCRIBE TO
NEWSLETTER
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
ABOUT
PROMENADE SOFTWARE

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485, and CyberMed • Cloud is SOC2 Type II certified.