To "Win" at application security, stay off the High/Medium/Low Treadmill. It is natural for security teams to tackle High Severity issues first, and then migrate to Medium and Low, as necessary; however, be careful as this might be a trap, as it could appear you are very busy, but you might not be going anywhere. Conversely, take a data driven approach, where the top priority issues are addressed first, such as the issues that expose the most data (P1), or issues that have the biggest compliance impact (Regulatory Compliance), or issues might cause the app to be unavailable to download (App Store Blockers). When working with developers, speak of the Secure Code first. Address the Secure Code is often a quicker way to get things fixed, rather than to dwell on the severity, likelihood, or even the risk of an issue, as the latter can be quite subjective where the ability to take the Secure Code and to implement it is often tactical. The following steps will help you "Win" at Mobile App Security.
Step-by-step Guide
Reduce the number of P1 issues to Zero
P1 issues allow remote attacks to export data. As a golden rule, we do not want to have any P1 issues on public apps, as it directly impacts the safety of end-user data.
Reduce the number of App Store/Google Play Blockers to Zero
Apple and Google both require all apps in the App Store or Google Play to comply with a specific set of security requirements. While the requirement list may not be enforced consistently, both organizations do clearly state that any app’s update can be blocked if any of the security criteria is not met. In order to ensure your app is not at the mercy of Apple and Google, ensure all app store blockers is reduced to zero.
Open Source Software/SDK Issues (OSS/SDK)
Any open source library and/or 3rd party SDK has total control over your apps data, including the TLS sessions connecting the app to server side APIs. While there is a sandbox between each app in an iOS or Android device, there is no sandbox between your app and 3rd party libraries or SDKs. For this reason we recommend each OSS/SDK is carefully reviewed by the security team. If the OSS/SDK has a security or privacy issue that does not comply with your policies, it should be removed or updated asap.
Regulatory Compliance Issues
Compliance and standards can often have a bigger impact to your app than Security P1 or Blocker issues; thus, we recommend to review each compliance policy that your organization must adhere to and fix that items as soon as possible.
App Protection
App Protection allows security and risk management teams to apply proactive security measures directly into mobile apps; thus, reducing the overall attack surface of the product. Protecting your apps using well known and respected security measures will not only give it a long term advantage over current & future security vulnerabilities, but will show end-users the organization’s long-term commitment to mobile application security.
To show your customers your commitment to security, ensure your app shows up on the App Protection Leaderboard
Login → select app → App Protection (scroll to the bottom of screen to see leaderboard)