Application Development Guidance: Introduction

Fundamental Guidance Principles

This guidance aims to mitigate the risk of data loss classified as OFFICIAL by providing secure development practices. It encompasses general application development advice along with platform-specific guidance. The principles outlined below are integral to this approach:

• Applications that store, process, or access protectively marked information must adhere to specific security requirements and undergo assessments prior to deployment.
• When protectively marked data is stored using the platform’s inherent functionalities, third-party applications may gain access to that information via platform APIs. It is crucial to understand the extent of data access and the associated security constraints.
• At this point, CESG is unable to provide assessment services for third-party applications; thus, departments must perform individual assessments for each application. Future provisions for assessment services may be considered by CESG.

Objectives & Assumptions

The recommendations in this guidance aim to:

• Safeguard sensitive data and credentials during storage and transmission.
• Ensure devices are protected by existing monitoring solutions offered by the network.
• Minimize the risk of accidental data leakage between applications while allowing intentional sharing.
• Restrict access to sensitive information to authorized users only.
• Enhance application usability while ensuring a baseline security level during development.
• Limit access to OFFICIAL classified material to applications designed for secure handling.

To meet these objectives, the following assumptions are made:

• The device configuration aligns broadly with the CESG platform configuration standards for iOS and Android.
• The device may be jailbroken or rooted, posing a risk to both encrypted and unencrypted data if accessed post-compromise.
• Third-party applications may be on the device.
• Devices should ideally be locked if lost or stolen.

General Mobile Application Development Recommendations

Applications across various platforms may exhibit shared vulnerabilities. Developers should capitalize on built-in security features of the platform during application development. Awareness of prevalent security risks is essential for protecting applications. Here are universal recommendations for addressing common security challenges:

Data Security Measures

Utilizing Data Storage APIs

Sensitive information should only be stored on devices when absolutely necessary. If storage is required, developers must employ native data protection APIs provided by the platform. Modern mobile operating systems typically offer APIs for secure data storage. Sensitive data should always be encrypted when inactive and secured by an authentication method, like a passcode. Once it is no longer needed, ensure secure deletion from the device.

Utilizing Cryptography

Introducing an additional encryption layer before using data storage APIs can safeguard sensitive data in the event of device compromise. Storing cryptographic keys on the device can undermine this additional layer, as keys can potentially be recovered. Instead, storing keys remotely can prevent access by attackers with physical control of the device, although this requires server authentication and internet connectivity.

Sensitive data should only be securely stored until the authorized user authenticates, either via a passcode or another authentication method.

Ensuring Secure Data Transmission

All sensitive information exchanged between devices and servers must utilize a robust encryption method. It’s critical to restrict the use of encryption algorithms to strong ciphers on both ends of the connection. Implementing additional security measures, such as SSL Pinning, can limit application connections to those with recognized trusted certificates. Never transmit sensitive data over unsecured connections.

Managing Sessions

Effective session management requires robust controls on the application’s backend server. The server should treat the application as an untrusted entity and only permit access to authorized content. Following user authentication, the server should enforce session timeouts, forcing re-authentication after inactivity. A recommended session timeout for access to sensitive information is approximately 15 minutes. The backend server is responsible for session management and access limitations based on session validity.

Strengthening Application Security

Implementing Stack Protection

Applications should leverage any available protection mechanisms during compilation, such as Address Space Layout Randomization (ASLR) and Stack Canaries, to increase resistance against exploitation.

Preventing Reverse Engineering

To hinder reverse engineering efforts, developers should utilize non-reflection based programming languages for sensitive processes to complicate manipulation by attackers. Caution is essential, as unmanaged languages may also present memory corruption risks. Techniques like code obfuscation can obscure application logic, making it harder for an attacker to reverse engineer the source code.

Detecting Jailbreak/Root Status

Devices with jailbreaks or root access pose risks to sensitive data. Implementing detection mechanisms to check for device compromises can enhance application security, although determined attackers may find ways to circumvent these measures. Regular tests for common jailbreak/root methods should be conducted to allow the application to take proper precautions.

Managing Third-Party Applications

Organizations contemplating the use of third-party applications on the same devices as sensitive data-handling applications face two primary challenges: safeguarding the enterprise network from potential attacks via these third-party apps and preventing sensitive data from leaking to them.

As third-party app behavior often cannot be altered, protections must be enforced through network security measures and prudent data management practices. Developers should be encouraged to provide insights into their application’s architecture, and applications that are prone to data leakage or intrusive tracking behaviors should be avoided.