Nowadays, several mobile apps have been recognized as innovative ones, and they can be divided into different categories. For example, the application called U.S. Constitution: Analysis and Interpretation was developed by Library of Congress. The main objective of this application is to provide the original text of the Constitution, its evaluation, and Supreme Court cases considering its interpretation (Library of Congress, 2016). At the same time, KnowBullying is the app, designed to prevent children’s bulling. This app contains such features as tips, warning signs, information, reminders, social media, conversation starters, and resources for education (SAMHSA, 2015). Another example of the “best of category” of mobile apps is FEMA. People can share their photos, check the list of essential things to take during an emergency, and find the location of the closest shelters. Therefore, this application was created as “one-stop-shop with tools and tips to keep you safe before, during, and after disasters” (Federal Emergency Management Agency, 2017). At the same time, mobile security risks and threats have grown simultaneously. As a result, the development of effective secure mobile apps for the government requires federal government regulations, the private industry recommendation analysis, after which the best practice recommendation should be presented.
Federal Government’s Requirements and Recommendations
The Federal Trade Commission introduced recommendations for the developers of mobile apps to maintain the security of their products. The first step while launching an app is to analyze the general situation and the environment in a particular sphere, the so-called ecosystem. For example, the developer should clearly determine the core features of the app and identify how they work. Moreover, the readiness to customize a huge number of users and common threats, such as unsecure Wi-Fi connections, should be considered as well (Federal Trade Commission, 2017). The Commission promotes the evaluation of original needs of the apps and aims to avoid a ‘one-size-fits-all’ approach.
At the same time, the Commission subjects several practical and precise pieces of advice for the development of apps. First, a certain person should be responsible for security during the entire operational and development process. Second, much attention should be paid to the rules and regulations while working with children’s, health, and financial data. Third, in the moments when a developer needs to use a third-party library or code, it is better to check all available information on their security measures and analyze if they the project under development (Federal Trade Commission, 2017). In other words, numerous security details should be considered by developers in the process of work on their application.
In 2013, a Mobile Security Technical Exchange Meeting (TEM) was organized by the Federal CIO Council’s Information Security and Identity Management Committee. During this event, core gaps, problems, and risks were examined, and recommendations to advance mobile security were given. Thus, TEM proposed to “add time element between user and location” (CIO Council, 2013, p. 28). Moreover, they offered to separate the requirements for Data/Information and User Description. For instance, social media is an important source of information, but it should not be treated as accurate and reliable in all situations. Another suggestion was to “require multiple identification capabilities” (CIO Council, 2013, p. 29). Consequently, Mobile Security TEM presented several new points to enhance the security of applications.
Industry’s Recommendations
OWASP, an international organization that works to maintain apps’ security, introduced ten current risks for mobile security and gave recommendations to prevent them. For example, weak server side controls can be managed by configuration practices and secure coding (OWASP, 2014c). Poor authorization and authentication risk can be solved by re-enforcing these processes on the server-side while performing local integrity checks at the same time (OWASP, 2015a). Moreover, improper session handling can be prevented by checking an app’s code to ensure that it creates proper session tokens, maintains and destroys them (OWASP, 2014b). Therefore, OWASP’s examples of main security risks can help users and developers in coping with them.
The broad range of risks is connected with data security. Moreover, SD cards, Log Files, SQLite databases, and others are among the most vulnerable sources for data storage. For iOS, users the best ways to prevent insecure data storage is not to use file system on the phone where they plan to save their information. Android users must not enable MODE_WORLD_READABLE preference; this option can be used only in the situations of data sharing between apps, when it is required (OWASP, 2016). Furthermore, unintended data leakage can be prevented by treating OS, frameworks, and platforms model with application backgrounding, keyboard press caching, and HTML5 data storage (OWASP, 2014a). Therefore, data security plays an extremely important role for all users.
Several other risks threaten apps’ security as well. For instance, the fact that devices can process information from various sources, the risk of untrusted inputs is high. One of the ways to prevent this problem is avoid using iOS Pasteboard for IPC communication (OWASP, 2015b). Moreover, transport layer protection can be reached via constant request of SSL chain verification, industry standard and strong cipher, and avoiding the usage of alternative channels, such as MMS or SMS, to send sensitive data (OWASP, 2015b). The above-mentioned measures can help protect information transmission and reduce storage risks.
Best Practice Recommendations
Mobile phone as a device also requires peculiar attention to its security since it serves as a basis for the operation of applications. Modern main threats to mobile security are represented with delays in security updates and compromised App Stores downloads as well as simple theft or loss of devices. As a result, security measures should be applied to hardware, firmware, mobile OS, and finally, application levels (Department of Homeland Security, 2017). The most important recommendation for securing a mobile phone is to always update its system to the latest operating version and constantly upgrade the security measures, offered by developers. Moreover, lower-lever mobile components can be protected by using original firmware, software, baseband processors, and TEEs (Department of Homeland Security, 2017). These measures can help ensure device security at all levels.
Apps’ architecture and design are important parts of mobile security. First, the developer should make sure that all features and component that would be in their app or would play a supplementary role are known and identified. Second, a centralized implementation must be created for security control. Third, remote devices, which are connected with the app, should be identified and be a part of a high-level architecture (OWASP, 2017). Following these recommendations, one can be sure that their app’s components and remote devices will be secure.
Data protection on one’s device is the main objective of all security precautions. One of the best recommendations to increase data security of mobile apps is make sure that backups, which are created by the operating system, do not contain any sensitive data. At the same time, one should not be able to take a screenshot of this data or it should not be available via user interface. User also should think about creating a passcode for using their device. Moreover, the app can contain a clear and comprehensive educational element about the basic data security (OWASP, 2017). These measures show that restricting access to sensitive data, having passwords, and simply possessing elementary education on the issue can improve data security.
Secure transmission pass is another important element of security. Communication networks should have several qualities to be secure. Thus, TLS should be used in encryption and it should be properly maintained and updated. CA should sign a certificate during the establishment of the remote endpoint, and in the case of critical situations and operations, various communication channels should be operated but not only via SMS or email. Moreover, during interaction and data transmission, JavaScript should not work in WebViews, a minimum amount of permissions should be requested, and sensitive functionality should not be exported via IPC facilities or URL schemes (OWASP, 2017). Thus, transmission security can be gradually improved if these several steps are made.
There are also core areas and steps to maintain the security of mobile apps. In order to build setting and reach code quality, developers should use valid certificates, release mode, and remove debugging code and symbols (OWASP, 2017). To maintain resiliency against reverse engineering, one of the possible solutions is to remove the possibility of dynamic analysis and tampering. For instance, the implementation of various methods of root detection, which should be functionally independent, can be an effective action to solve this issue. However, such steps can be considered not as security control but as software protection (OWASP, 2017). Therefore, these steps in peculiar areas are quite useful for the improvement of app security.
At the same time, some general recommendations to improve governmental mobile security projects are also important. In 2013, a Mobility forum was held in Washington, DC. During this event, the industry’s core representatives underlined several issues that needed to be improved by the government to achieve the security of their apps. First, a new and more simplified approach to creation would gradually improve mobile apps. Second, the government should introduce “a standard mobile application process” (CIO Council, 2013, p. 31) that would regulate the entire process and serve as a pattern. Third, more attention should be paid not just to mobile application management and mobile application security but to the entire app’s lifecycle (CIO Council, 2013). Thus, the government should develop a more simplified, inclusive, and standardized policy.
Conclusion
The US official institutions take an active part in the development of applications. Thus, such applications as U.S. Constitution: Analysis and Interpretation, KnowBullying, and FEMA are the examples of successful and innovative governmental projects to improve the communication and information sharing between the US citizens and public authorities. On the other hand, the growing popularity of mobile devices raises the level of threats to their security.
The Federal Trade Commission, as one of the main governmental institutions, presented several recommendations to apps developers in order to improve the security level of their applications. For instance, ecosystem analysis, the ability to customize all app’s users, and the provision of secure Wi-Fi connection can gradually enhance their security. Moreover, the Commission also proposed that specific appointed individuals should hold the responsibility, of adding new regulations to the most vulnerable and important spheres and they should check third-party software or protocols security. At the same time, OWASP has introduced the latest private organization findings in mitigating mobile security risks. Weak server side controls, poor authorization and authentication, improper session handling, vulnerable sources for data storage, untrusted inputs, and transport layer protection were underlined by OWASP. Moreover, the organization proposed steps to solve those threats and improve the security of mobile apps.
During the development of new apps, the government should consider the best recent practices available. Mobile device security, apps’ architecture and design, data protection, information transmission, and other elements should be considered when creating mobile applications. For example, developers should remember that mobile security does not straightforwardly mean app security, but it also includes hardware, OS, and other levels. Moreover, an updated system, valid certificates, release mode, and removed debugging code and symbols would help to maintain high security level. At the same time, the government should also pay attention to its general application development policy and try to simplify its approach, standardize process, and consider the entire application lifecycle.

This text was written by Charles Pfeifer who is a writing editor at https://advanced-writer.com/