Developing native mobile apps instead of HTML5-based apps adds complexity to mobile app security management. Peter Yared of Webtrends Apps recently published an insightful blog post where he points out that developing native apps for every mobile platform (i.e. iPhone, Android, Windows Mobile, Blackberry, SymbianOS, WebOS) is not practical because the cost of development and maintenance it grows for each mobile platform application deployed.
Peter’s point of view is not only very practical from a cost and maintenance perspective, but also has important information security implications. A key attribute of risk analysis for web applications is sometimes called the attack surface area, which essentially means that the more features, functionality, permissions, and code that are accessible to users, the more attack vectors, increasing the probability of a security compromise. This same principle applies to mobile applications. Having similar or identical features recoded for multiple platforms increases the attack surface area. Additionally, multiple applications would require an application penetration test and security code review to ensure they are secure before deployment or after changes or updates to the code base.
Areas where we’re seeing (and testing for security) a lot of mobile app deployments, such as in healthcare, banking, and consumer-driven businesses, typically also have important sensitive data protection and compliance requirements: think about HIPAA and PCI. Therefore, developing custom applications for each platform natively adds complexity to security management. Of course there are a variety of business cases, for example if an app needs camera access that will dictate native development, but the security implications of native development security risk management should always be considered when creating a strategy mobile development.