Developing a FirstNet Class App – By Daniel Madsen

FirstNet’s priority is to offer mobile apps in our catalog that are free of malware and severe security vulnerabilities.  Although the FirstNet team goes to great lengths to confirm that the network and devices are trustworthy, it is just as vital for developers to produce apps that have the ability to stay secure in case of attack.  When developing mobile apps, mobile handsets must be treated as un-trusted platforms.  Therefore, security functions should not be delegated to mobile platforms, as those functions can be tampered with.   Start with the worst-case assumption that a hacker has rooted and completely controls the device, so be sure to design, code, and security test to safeguard the integrity and reliability of the apps our first responders depend upon.  On some phones for instance, the schemas and contents of the databases that support notes, phone logs, contacts, email, SMS messages and many other core applications, can be viewed and changed by an attacker.

One of the first steps for FirstNet developers is to identify risks that can be mitigated through best practices and standards of architecture and code development.  The following list is not exhaustive, but it addresses the most prominent risks.  Links to reputable websites providing additional information are included.

1. Injection attacks, which apply to both mobile and server applications, seek to disclose or inject information, or cause malfunctions of applications through buffer overflows, web-based attacks, and database attacks. See: https://www.owasp.org/index.php/Injection_Flaws
2. Authentication attacks seek to bypass access controls by guessing PINs or passwords until the attacker gains access to an application or device. See: https://www.owasp.org/index.php/Mobile_Top_10_2016-M4-Insecure_Authentication
3. Escalation of privilege attacks exploit defects in code and Application Programming Interfaces (APIs) to enable a user to perform functions they are not authorized to perform. See: https://www.owasp.org/index.php/Mobile_Top_10_2016-M6-Insecure_Authorization
4. Backdoor attacks utilize unauthorized access methods to bypass authorization mechanisms. See: https://www.owasp.org/index.php/Mobile_Top_10_2016-M10-Extraneous_Functionality
5. Platform attacks may include manipulation of database schemas and data, snooping on or changing customer data on devices, and manipulating the code associated with an application. See: https://www.owasp.org/index.php/Mobile_Top_10_2016-M8-Code_Tampering
6. Malware and network-based attacks are not specific to mobile devices. Attacks may be directed against mobile devices themselves, against server-side applications that provide backend functionality, or against the communications network.

Not included in this list are social engineering attacks (phishing, sharing passwords, etc.) which all FirstNet developers must guard against.

Security is vital – anywhere, everywhere; it’s even more vital when we are talking about assets created for public safety.