App Security

My personal project here will use Fliplet to investigate how the publishing stores, Apple, Google, Amazon, Microsoft, plus private App store platforms, work.

How features (camera, audio, location etc), are tested in submitting to a store and they assure nothing dark larks inside it for the user.

I am looking for as many experiences of loading and testing Apps, good-bad-ugly, that can be collated anonymously. Development and non-store testing tools used, stores used, issues, trivia, rejections, and anything relevant all help. The analysis (no identifiable data) will be circulated to the National Centre for Cyber Security (NCSC) CISP, community as a contribution to security guidance for Apps in the future.

This is all open and transparent so can talk through this community. Can also exchange direct by email if you’d prefer. Any questions please ask.

Thanks

Ken Tomnbs

Hi Ken

Thanks for the post and question.

Testing to ensure everything works as expected in an app and ensuring there’s nothing sinister within the app should be 2 different types of tests. The first is feature testing, the second is security of integrity testing.

Feature testing is best done manually by users on different devices or test devices. iOS is highly consistent but android isn’t. I would record testing with Samsung android devices and any other popular types of devices your users are likely to use. Testing can be managed by creating a list of test tasks and asking different users to complete them then reviewing the results.

Security testing is best done by a security tester. A security tester will deeply assess what the app does, what servers it talks to, and what code is within the app. This is the best way to ensure an spp does only what it should do.

To protect the app many customers will control the deployment and access to the app by distributing it via an MDM solution, an IT controlled private app store. The app can also use single sign on (SSO) and authenticate with an existing authentication service, like the system used to authenticate corporate users, in order to stop access to the app if a user leaves an organisation. Technically this isn’t testing but risk management when the app is being used by users.

Does this make sense? I am happy to explain any of the concepts in more detail if you’d like.

Hi Ian, yes all make sense what you say. The interest is how far can amateur App builders like me, trust a generic App store to guide me on security? A FlipLet can aid me greatly though ultimately a store is the final safety check before the public, how complete and reliable might that be? With lo-code gaining momentum, inevitably proprietor/builders will cut corners and rely only on a store’s tests.

Great response Ken and fantastic question.

The app stores do have automated code checks but, like antivirus software, they only scan for known issues and they don’t monitor software after it’s live as far as I know.

Using a reputable company is key to ensuring good quality apps, security in those apps and ongoing updates to address security issues.

As you know, customers can add code to Fliplet apps therefore the customer has responsibility for any code they add, or let 3rd parties add. This creates an additional risk.

Ultimately I would say trust and standards are probably the only way a non technical person could reliably produce an app with a no code or low code app builder and trust the outcome because of how technical verifying a product does what it must and nothing else.

Fliplet is getting ISO27001, risk assessments and 3rd party security tests done to demonstrate how trustworthy we are. This is so customers do not have to assess us themselves and can trust us. These are industry standard methods, they are not perfect, but they are the best we have and are widely accepted as appropriate for large companies to work together.

What are your thoughts on this approach?

Of the two UK schemes, Cyber Essentials is not strong enough for a Weboo. ISO27001 ISMS as a full management system is the best route for many reasons. I am currently introducing governance and refreshing an ISMS for BusinessOptix in Guildford, who are also a global cloud services provider. They have good track record of external audits by BSI. As they face growth challenges and international corporates to manage, they want the best they can realistically get. They thrive by their technology so its critical. Same for others I am working with. I’d be happy to do an hour session online for anyone on this group and share the models and structures?

1 Like

Regarding security of Fliplet code.

You can only be responsible for your own Fliplet code, and the underlying security of your Fliplet product. Certainly being able to demonstrate a robust and tested structure is all one can ask.

If it is necessary to conduct ones own 3rd party testing it reduces the value of using a product such as Fliplet, and the cost of testing becomes a barrier.

I would hope/presume you have security and monitoring in place to handle basic attacks on your infrastructure and code base.

Hi Mark

Good point. Part of using Fliplet is to avoid having to manage the security of apps internally.

Fliplet has a suite of security features customers can enable on their apps via Fliplet Studio. These must be configured per app based on what the app does.

Fliplet is regularly security and vulnerability tested. We also continuously monitor Fliplet to ensure any known attacks are detected and managed. We have monitoring and log analysis software.

We do not test custom code our customers add to their app.

Some customers choose to get their own security tests done. We support them as part of being transparent and supporting our customers infosec standards.

Ian.

As an amateur App builder, security is a jigsaw, the best picture is when all the pieces fit together. At the moment, the jigsaw’s ‘App test pieces’ are fuzzy pictures, what they might actually look like is obscured. Going back to Ian’s comments about demonstrating assurance, then ISO27/ISMS is the most cost-effective 3rd party assurance you can have as a supplier. However, the fundamental is can you trust your supplier not to stitch you up. Sadly, too many times I work with businesses who have had that happen to them; poor quality, commercial exploitation, misrepresentation and the rest. As far as security is concerned, Caveat Emptor is not acceptable as a business culture.