Ensure your mobile business apps undergo thorough security testing
30 January 2015
Alert Priority Moderate
If your business is developing and releasing apps, make sure you implement a testing regime that minimises the risk of vulnerabilities emerging. These vulnerabilities may compromise the security and privacy of your business, its partners and its customers.
Security experts recently reported on a potential vulnerability in a tourism and hospitality firm’s smartphone app. Until it was fixed, this vulnerability allegedly allowed any user to view the personal details of the firm’s other customers.
Businesses that release apps for smartphones or other devices – particularly apps that store or provide sensitive information such as credit card details or travel plans – need to undertake testing before and after the app is released. Post-release security testing should be scheduled regularly and take into account the importance and sensitivity of the app.
Organisations release apps for a number of reasons, including helping to manage customer profiles, enable online shopping or offer hotel bookings. In a many cases, these apps are linked to customers’ personal information.
Security testing is considered best practice when releasing any form of software. It not only reduces the risk of customer data being disclosed, but lowers the possibility of vulnerabilities compromising businesses’ reputations. Security testing can involve a number of activities, such as penetration testing (where an analyst attempts to break into an app’s data) or a source code analysis (where the code of the app is examined for flaws).
If you are unsure of your security testing options, one step you can take is to review guides prepared by government agencies. Some of these guides include lists of best-practice steps and sources of further information.
As a starting point for businesses that are unsure where to find technical advice, these guidelines from the Victorian Government provide a project-focused overview of the common aspects to security testing.
The Australian Prudential Regulation Authority has released a Prudential Practice Guide to the management of security risk in information and information technology, available here.
The Office of the Australian Information Commissioner has released a guide to securing personal information, which can be found here.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.