Ask a Developer: How to Become a Developer Security Advocate
When building a mobile application, the main focus of app developers is often functionality, performance, and user experience. Often, security of the application gets deprioritized because of these focus areas and the need to meet release timelines. It can be challenging to balance bringing to market intuitive, easy-to-use mobile apps while also ensuring they aren’t at risk of being reverse engineered or tampered with - which can result in a variety of issues.
Ed Holloway-George is a passionate security advocate for development teams. We spoke with him about how he approaches mobile app security, balancing performance, user experience and security, and other advice for developers to ensure their hard work is well protected.
Q1: For those in our audience that may not know you, can you give us a 15-30 second intro for yourself?
Hi, I’m Ed Holloway-George, a mobile lead and Google Developer Expert for Android. I started my career in mobile development just over 10 years ago and have worked across a number of products in quite diverse industries. Essentially everything from FinTech, Fashion and mobile games to writing a ‘Facebook for dog owners’ app (yes, really).
My passion is mobile development, writing code and turning complex codebases into something that eventually delights users and developers alike. If this Q&A resonates with you, feel free to check out more of my content via my online moniker ‘Sp4ghettiCode’!
I have taken a real interest in mobile application security and have created a ton of content on this subject with the hope of helping to fix what I have witnessed to be a common gap in knowledge within the mobile developer community. I love learning and sharing newfound knowledge with the world; so far, thankfully, it’s been well received!
Outside of development, you’ll find me listening to progressive metal, playing trading card games or posting pictures of my dog online.
Q2: Can you briefly summarize the different aspects of mobile application security and what code protection means in that context?
When we talk about ‘mobile application security’, developers (or the general public for that matter) may be immediately drawn to more widely known ‘trendy’ topics such as malware, phishing or adware. Now these are valid concerns; however, they are not unique to the mobile platforms we work on. In fact, more often than not, threats such as these are inherently protected against by the mobile operating systems security features themselves. Regular security focused updates, password protection/monitoring and secure hardware are now very much at the front and center of the mobile platform’s on-going push for better security for all.
However, as developers we must be aware of the specific security concerns that relate to our mobile apps. It is often trivial for an attacker to gain access to an app’s binaries, to reverse engineer an app’s code, to search for sensitive strings or to intercept any network requests as, sadly, there is only so much the operating system can do to protect users from the choices we as developers make when building our apps.
It’s not all doom and gloom though, as ‘code protection’ is a useful tool that can be put to use to mitigate a number of potential threats in mobile apps. Code protection is the practice of securing an app’s source code and the compiled binaries from unauthorized access, modification, or reverse engineering. As it is not a mobile operating system feature, but instead a part of the build process for a mobile application. It should undoubtedly be something that is utilized by app developers to ensure their mobile apps and the important information within are kept secure.
Q3: When building a new mobile application, can you provide some insights on how developers should factor including protection as part of the initial development cycle? And once published, as part of the ongoing development and maintenance of the mobile app?
When developers get the chance to start a new project, it’s very easy to get caught up in all the exciting decisions that need to be made during those initial few weeks. Topics such as “What language are we going to use?”, “What architecture shall we go for?”, “What fancy new libraries can I use?” and, of course, my personal favorite, “How many all-nighters will it take to get v1.0 out the door?”. However, taking a step back to consider security is an absolute must from day 0 as not doing so is setting yourself up for failure.
In my experience, security is often neglected during the initial development cycle and left as a tick-box exercise either once the app is launched or shoe-horned in prior to release without the care and attention it deserves. So to get off on the right foot, I usually recommend starting with simple integrations and mobile app security testing tools. These can take just a few minutes to set up as part of your regular CI pipeline, so it’s a task that can be done very early with little to no real development effort. From that point onwards, app security testing tools, such as AppSweep, can scan your app binaries and quickly report back with any dependency vulnerabilities, security anti-patterns or other issues to ensure you are able to continuously monitor your app from the start. As you scan more binaries over time, AppSweep builds a dashboard showing your app’s vulnerabilities to ensure you are (hopefully) reducing the number of issues as you address them, which is incredibly helpful when considering the ongoing development and maintenance of your apps.
I try to use AppSweep in all my pet-projects and it is certainly robust and mature enough to use in production on both iOS and Android platforms! When it finds an issue, it provides clear guidance on how to resolve it as well as linking to relevant resources such as the OWASP Mobile Application Security Verification Standard (MASVS).
The MASVS is an industry standard guide on how to write apps securely and an excellent place for developers to learn more about best practices. In my experience, it’s super helpful to have mobile specific guidance within a security tool.
Q4: Have you ever faced the challenge of balancing performance vs. security? How do you tackle that?
Balancing performance and security is a challenge when developing a mobile app as both aspects are essential for delivering a successful, reliable and secure application.
Typically you can identify areas of your app that require high performance by considering a user’s key journey. For example, an e-commerce app would want to make the flow of purchasing a product as smooth as possible, a social media app would seek to ensure the creation and viewing of content is seamless and a ride-share app would want the discovery of available vehicles and booking to be quick. In all of these scenarios, it is conceivable that there are different types of security risks but a user would rightly expect the process to be both performant and secure, not one or the other.
I have been fortunate enough to mostly work in teams where security is treated as a first-class citizen but having spoken to many other developers and project managers, it’s a sad fact that plenty of businesses do treat security as an optional extra due to the perceived complexity or potential to hinder app performance. The truth is, with proper planning and consideration, you can develop highly performant applications that keep users secure and follow best practices. It is a case of being disciplined and ensuring the security needs of your users are considered at every step of the development lifecycle from the initial conception right until the product is tested and ready to be shipped to users.
Building with this mindset allows you to add security throughout your apps, including the key areas requiring high performance, and avoids situations where security is hastily added at a later date or avoided due to the risk of affecting performance. Of course, like with most technical decisions, there will occasionally be compromises to make but considering security throughout the development lifecycle is a must.
Q5: Have you witnessed any promising trends from teams or security professionals in how they prioritize security earlier in the development process?
Recently, I have seen a real interest in companies adopting a ‘security champion’ program. The idea behind these programs is to bridge the gap between cybersecurity teams and other disciplines. As a mobile developer, I might not be an expert in cybersecurity, but I do have domain specific knowledge that I can communicate with the security team and help bridge the knowledge gaps between the two. Having a cybersecurity team isn’t necessarily a requirement for this to work (but it helps). The analogy I use is that a security champion essentially becomes the ‘Rosetta stone’ for their team to help translate the security needs of the business into domain-specific language.
This seems to be a really popular and effective approach. In fact, I know of one particular data-warehousing company that, through a process of education, gamification and knowledge sharing, ended up with 10% of the entire company, not just tech, performing security-related tasks related to their jobs. I did a talk about this where I go into detail on how you can implement a program of your own. I recommend checking that out if you want to find out more!
__
On behalf of the Guardsquare team we really appreciated the time Ed took to provide his insights regarding mobile app security from a developers standpoint. If you haven’t already, make sure to check out Ed’s presentations, blogs, and more!