Attention to the following general principles will increase security awareness among all those working on mobile software-related projects.
The key component in security threat management is prevention. Over the past few years, the approach to security has shifted from reactive to proactive, meaning that prevention has become a more important factor in intercepting security threats. However, the reactive component is still necessary because levels of security degrade over time due to information corruption, new attack methods and viruses, etc.
By preempting hostile intentions before security breaches even happen it is possible to create potentially safe applications and systems. However, even the most secure solutions usually have weaknesses, so a single security solution should never be trusted entirely.
If a security incident is about to happen, it is still possible to minimize and isolate damage with control of events and strong internal borders. By dividing the system or software into sufficiently small units, it is easier to control and manage security features. Division also helps protect against attacks, because infections are isolated within a single unit.
Another useful rule to follow with security is the minimum rights principle, wherein each unit is given only the minimum needed rights and permissions for completing its tasks. The features listed above can be carried out by several means, most importantly by authenticating and authoring all traffic between units and by limiting access rights and permissions of unidentified parties. These techniques can be applied on any level, from a single software component to an entire business system.
In Symbian OS v9.1, the above principles are carried out by platform security, which implements control of events inside the operating system and creates borders for different security areas (for example, by means of data caging and server protection). Platform security is also strongly influenced by the minimum permissions principle.
Usually software has to interact with other components to fulfill its tasks. The problem that arises here is interface security between components. For example, input provided by another application must be checked for overflows and bad information before the process is allowed to continue further. This can require a lot of resources, but usually pays off in terms of increased security. It is also important to remember that confirmations and passwords requested from the user can be misunderstood by the user or misdirected by malicious software.
Additionally, there are external third-party applications such as virus scanners, firewalls, and intrusion detection systems that, when combined with strict policies, provide good protection against hostile attacks.
Even the strongest security solutions may have vulnerabilities. These weaknesses are usually not apparent during the development phase, but are often found after an application or a product has been in use for some time. Software complexity and combinations of different technologies are known to increase the possibility of software flaws. This is why extensive testing and validation are needed during development, because practical testing will be performed anyway by end users in the form of daily use, not to mention malicious parties actively searching for security defects.
How can software security be tested and validated? The purpose of security testing is to find errors and flaws that may jeopardize the security and integrity of information stored in the mobile device. However, security errors are usually difficult to find, and software may function properly even if it is not secure.
Unlike traditional testing situations where software is validated against specifications, it is more effective from the standpoint of security to study possible side effects and behavior in different environments. An example of this is white hat hacking, which tries to identify vulnerabilities before malicious (black hat) hackers do. Common areas for security testing are user interfaces, information storage, communications, and the software's internal security (for example, algorithms, robustness, recovery).
To have a complete evaluation of security features and risks, it is important to perform a full security analysis for every published version of an application.