Collaborating to Secure Your Mobile App

Mobile app security can present unique challenges compared to other types of application infrastructure. Mobile app development teams tend to be smaller teams, often with a loose coupling to the other aspects of application infrastructure in an organization. Mobile apps are also unique because a significant amount of the application logic and behavior is running locally on the end-user device, which can easily be manipulated or controlled by an attacker; this untrusted computing environment breaks some of the traditional security assumptions.

Given that the mobile app can play a critical role in the user experience, as well as serve as the entry point for your brand, it is important to give the security of that application due consideration.

Two teams, one goal

We often see organizations share the responsibility of securing their mobile app across a team of security professionals as well as the mobile app development team. This shared responsibility is important because the perspective and expertise brought by the security team can be the impetus or driver for implementing security controls, but the development team will ultimately be responsible for maintaining a secure mobile app architecture and building it into their process.

A certification, a pentest, or a security review by your security team can be the initial driver for deciding to take steps to secure your mobile app. At this stage, it is important to have clear discussions on the threat model for the app, the priority security goals, and the technology that will be necessary to support those goals.

Guardsquare’s new approach helps your development team achieve those goals in an efficient way, without compromising on the user experience or performance of your app.

Making the process repeatable

One of the key criteria for the mobile app development team will be ensuring that maintaining the security controls can fit seamlessly into the app development process.

With Guardsquare’s approach to mobile app protection, you can think of the process as having two distinct phases: setting the initial protection and creating repeatable builds. Setting the initial protection needs to be coordinated by a developer with an understanding of the security goals or in collaboration with the security professional in the team who understands the risks and threat model for the application. Our previous two blog posts, Instrumentation and Profiling and Intent-Based Protections, covered this initial configuration phase.

Once you’ve identified the configuration choices and you’ve profiled your application, each subsequent minor update of your application can be an automated build step that is integrated as part of your CI workflow.

Automating the creation of your protected builds involves uploading an SSH public key to your organization account so that any CLI commands you run will be authenticated using the private key pair on your development or CI environment.

Once the authentication is configured, the Guardsquare CLI or Gradle Plugin (for Android) can be used to automate the creation of your protected builds. In iOS, for example, you download the CLI using a curl command, install the Guardsquare CLI in your environment, and once your repo is copied to your build workspace, you can issue the Guardsquare protect CLI command to protect your app:

guardsquare protect <input-file> --ssh-agent

Your input file (unprotected application) will then automatically receive the protections applied based on the latest security configuration you collaborated on with your subject matter experts.

The process is similar for Android but relies on Gradle tasks, which can be applied directly from your IDE or as part of your CI pipeline.

It is important to note that all processing of your unprotected application occurs locally in your development environment or CI system, and the unprotected binary is not shared with Guardsquare. Only your security configuration choices are done through our web-based interface, while all processing of your app occurs locally in your network.

Measuring & monitoring

As your team iterates on your mobile application protection, updates the security configuration, and creates new protected builds, it is important that all stakeholders interested in your app's security posture can easily identify the outcomes for each build.

For this purpose, we track KPIs and maintain a history of all builds performed, which can be used to monitor progress.

Beyond mobile app protection

Once you’ve achieved consistent, repeatable protection for your mobile app, you can also think about other steps you can take to secure your app. Guardsquare offers additional services such as Mobile Application Security Testing and Threat Monitoring which can further strengthen the security and insights you have for your app.

As you get more familiar with Guardsquare you will quickly be able to access these additional services from within your Guardsquare account.

If you are interested in taking the next step in securing your mobile app, don’t hesitate to reach out to one of our experts today.