How do I know if a wireless app is secure?
Dear Control Engineering: After reading the Dark Side of Mobility, I’m concerned about downloading a mobile app that I was thinking about. How can I tell if it is secure or not?
The article expresses two major concerns. First, the application itself has to be secure. Second, no matter how good the application is, the network supporting it has to be secure, and that is likely the more difficult of the two. For the sake of this discussion, we’ll limit ourselves to the first.
In any case, what you hope is that the company that produced the desired app paid attention to security concerns as it was being written. The question is, how can you tell?
We went back to Matt Luallen, author of the mobility story, and asked him for a list of questions you could ask your vendor as you evaluate your app purchase. Here are his suggestions:
1. Do you provide security hardening guidance to your customers using your application? (For example, for the highest level of security, use this combination of settings, etc.)
2. How do you protect application information that may be cached or stored on the device?
3. Do you provide application protection of the network communication data or rely upon the device’s wireless security controls?
4. Have your application programmers been educated on secure programming tactics? What kinds of classes and materials?
5. Has the application, installed as recommended, been security tested internally? Are there any third-party evaluations?
Providers that waffle on any of these points or don’t have straightforward and positive answers are perhaps ones that you might want to reevaluate.
Peter Welander, firstname.lastname@example.org