Developing native mobile applications as opposed to HTML5-based apps adds complexity to mobile application security management. Peter Yared from Webtrends Apps, recently posted an insightful blog entry where he points out that developing native applications for each mobile platform (i.e. iPhone, Android, Windows Mobile, Blackberry, SymbianOS, WebOS) is not practical because the development and maintenance cost grows for each mobile platform app deployed. Information Security Blog
Not only is Peter’s view very practical from a cost and maintenance perspective, it also has significant information security implications. A key attribute of risk analysis for web applications is sometimes referred to as attack surface area, which essentially means that the more features, functionality, permissions and code accessible to users, the more vectors of attack – which increases the probability of a security compromise. This very same principal applies to mobile apps. Having similar or identical features recoded for multiple platforms increases the attack surface area. Furthermore, multiple applications would require an application penetration test and a security code review to ensure they are secure before deployment, or after changes or updates to the code base.
Areas where we are seeing (and security testing) lots of mobile application deployments, such as in healthcare, banking and consumer driven enterprises, also generally have significant compliance and confidential data protection requirements – think HIPAA & PCI. Thus developing custom apps for each platform natively adds complexity to security management. Of course there are a variety of business cases, for example if an app needs access to the camera, that will dictate native development, but the security implications of native development security risk management should always be considered when creating a mobile development strategy.