FirstNet’s priority is to offer mobile apps in our catalog that are free of malware and severe security vulnerabilities. Although the FirstNet team goes to great lengths to confirm that the network and devices are trustworthy, it is just as vital for developers to produce apps that have the ability to stay secure in case of attack. When developing mobile apps, mobile handsets must be treated as un-trusted platforms. Therefore, security functions should not be delegated to mobile platforms, as those functions can be tampered with. Start with the worst-case assumption that a hacker has rooted and completely controls the device, so be sure to design, code, and security test to safeguard the integrity and reliability of the apps our first responders depend upon. On some phones for instance, the schemas and contents of the databases that support notes, phone logs, contacts, email, SMS messages and many other core applications, can be viewed and changed by an attacker.
One of the first steps for FirstNet developers is to identify risks that can be mitigated through best practices and standards of architecture and code development. The following list is not exhaustive, but it addresses the most prominent risks. Links to reputable websites providing additional information are included.
Not included in this list are social engineering attacks (phishing, sharing passwords, etc.) which all FirstNet developers must guard against.
Security is vital – anywhere, everywhere; it’s even more vital when we are talking about assets created for public safety.