The application security requirements on this site have been split into 14 different topics of importance. These areas collectively represent the different components that comprise the lifecycle of building an application and the related security considerations. The text in each topic below covers the content of the mappings.
Secure Data Storage
All PII (Personally Identifiable Information) data, passwords, keys and tokens should be stored in secure encrypted memory on the device.
Communication both to and from the device must be encrypted using the recognised standard for cryptography.
Update Software, Dependencies and End of Life
All software updates should be timely to protect against known vulnerabilities. Any dependencies or third-party APIs should also be updated to the most recent compatible release. Users should be notified when product support is ending.
Passwords and Authentication
Passwords and other forms of authentication such as 2FA, fingerprint and facial recognition should be deployed on the device to offer a level of trust that the user’s device is secure.
The App Developer should have a VDP (Vulnerability Disclosure Policy) which would allow security researchers to reach out directly to the developer and report any vulnerabilities found in an app. In addition to a VDP, developers should be proactively looking for any known vulnerabilities which may affect their product.
Sessions should only be created when the service can prove trust such as using authentication credentials. Sessions should be closed after periods of inactivity or when a user logs out.
Apps should only request permissions that are needed to run the app. In addition, the app should inform the user why it needs certain permissions.
State of the art security for encrypted communication should be used. Cryptographic keys should also be stored in a secure location. Random number generation should be employed for encryption.
Attack Surface Reduction
This topic encompasses all the areas where developers can remove unused code/APIs from the app to make it more difficult for attacks to be performed. Ports should be blocked and all external data sources treated as hostile until authenticated.
Secure by Design
During the app design phase, security should be addressed. The latest secure OS versions should be selected for deployment. This should include researching known CVEs (Common Vulnerabilities and Exposures) related to the app and any third-party software libraries being considered for inclusion. Any known security issues should be addressed at the design stage.
Developers should include options to harden the code and the app as a defensive mechanism to protect both user data and against attacks against the app.
Web App Security
Suggestions to protect remote services/servers against attacks.
This covers recommendations around policy and the use of consumer data.
Recommendations for app developers to improve the user experience and stability of the app rather than security specific requirements.