A Microsoft TechNet story discusses the best ways to secure mobile applications. The most important element of the piece, from our perspective, is right at the beginning, however. The writer opens by saying:
"'Security' and 'mobile application development' rarely appear in the same sentence.'"
Our question is: Why not?
The author spends the first paragraphs trying to convince readers -- application developers, mostly -- that security is important. We find that downright frightening. We know that hackers and crackers are a smart bunch who increasingly target mobile workers. It's not comforting to think that application developers -- the good guys -- are being brought to the security party kicking and screaming.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
It's not a great thing when developers are said to consider security as "featureless, drab, and un-cool." Further, developers feel that security is an obstacle to the Holy Grail of usability. These folks spend their time trying to make it as easy as possible for wanderers to use their devices.
It's not difficult to understand where they are coming from. Even under the best of circumstances, it's hard to perform mundane tasks on a handheld. The prospect of suddenly asking for passwords, especially as operations grow more complex, can't be expected to make them happy.
The good news is that the writer of the TechNet story may himself be holding onto old perceptions. There is growing across-the-board acknowledgment of the importance of mobile security. It's safe to assume that most mobile developers and software vendors are no different and are willing to get with the program.
Companies must weed out those who hold onto old beliefs, however. They need to make sure that the people they hire or buy product from consider security vital and are willing to sacrifice some usability in order to achieve it. They should be compelled to use increasingly common tools that test application security.
The bottom line is that developers or development firms that aren't willing to concentrate on security should be quietly, politely and firmly shown the door.