Security, whether in the airport or in an application, is a confusing subject that is often confused further by techno-speak. We’ll try and minimize the jargon today as we look at maximizing the security of Mobile Commerce apps.Convenience, The Often-Overlooked First Question:Mobile application security can be thought of very similarly to the security of transferring cash between individuals. Let’s say for example that the day before a best friend’s wedding in San Francisco, an urgent family matter in New York calls you away. Much to your chagrin, upon landing in New York you realize that you have your best friend’s $20,000 diamond ring in your bag. Information Security Blog
There are many aspects to consider figuring out how to get the ring back to your friend. The thing that rarely gets talked about is the fact that convenience, (whether yours or your friend’s), will be the single biggest factor in determining how you choose to get the ring back to him. Can you afford the time to take it yourself or does it need to be given to a courier? How quickly does it need to get there? How much money is it acceptable to spend in order to get the ring there safely? For the vast majority of apps the answers probably come out similarly to the way they would for the diamond ring. The transfer of the item has to be most convenient for everyone and relatively inexpensive – that is we’re looking for a solution that is fast, cheap, and with extremely high probability of success.
From that standpoint, most solutions get thrown out right off the bat. For example, flying the ring back yourself takes too much time and costs too much money. The same might be said for sending it back in an armored truck for that matter. So, at the end of the day, we need to be resigned to sending it via FedEx – still we want to take the right precautions so that the ring doesn’t get stolen prior to its arriving back to your friend. For the purposes of our analogy, the wedding ring is analogous to secure data that can take many forms – credit card numbers, passwords, source code, or proprietary algorithms. Keeping that information secure and out of the hands of would-be thieves requires that you identify first the “path of the data”. When the ring is in your possession, that’s analogous to a credit card number being stored on your phone – let’s call that “device” security. When the ring is in transit (on the FedEx truck) that’s analogous to data being transmitted over the internet – what we’ll call “network” security. When the ring is at the FedEx processing center, that’s analogous to the data being stored on a database server – what we call “server” security.