Posted by Eugene Liderman, Director, Android Security Strategy, and Brooke Davis, Android Security & Privacy Partnerships
With all of the challenges of the past year, users are increasingly reliant on their mobile devices to create fitness routines, stay connected with loved ones, work remotely, and order things like groceries with ease. According to eMarketer, users spent more than three and a half hours a day using mobile apps in 2020. With so much time spent on mobile devices, keeping mobile apps safe is more important than ever. Despite the importance of digital security, there is no uniform industry standard for evaluating mobile apps. Existing guidelines are either too easy or too burdensome for the average developer and there is no compliance arm. For this reason, we are happy to share ioXt’s announcement about a new profile for mobile applications that offers a range of security and privacy requirements with defined acceptance criteria that developers can use to certify their apps.
Over 20 industry stakeholders including Google, Amazonand a number of certified laboratories such as NCC Group and Dekraas well as automated security tests for mobile apps such as providers NowSecure worked together to develop this new security standard for mobile apps. We noticed early on interest among developers of the Internet of Things (IoT) and virtual private networks (VPN). However, the standard is suitable for all cloud-connected services such as social, messaging, fitness or productivity apps.
The Internet of Secure Things Alliance (ioXt) manages a program for assessing the security compliance for connected devices. ioXt has over 300 members in various industries including Google, Amazon, Facebook, T-Mobile, Comcast, the ZigBee Alliance, the Z-Wave Alliance, Legrand, Resideo, Schneider Electric and many others. With so many companies involved, ioXt covers a wide variety of device types including smart lighting, smart speakers, and web cams. Since most smart devices are managed via apps, the coverage was extended to mobile apps when this profile was launched.
The ioXt Mobile Application Profile provides a minimum of commercial best practices for all cloud-connected apps that run on mobile devices. This security foundation protects against common threats and reduces the likelihood of significant security breaches. The profile uses the existing standards and principles of OWASP MASVS and the VPN trust initiativeand enables developers to differentiate between security features related to cryptography, authentication, network security, and the quality of the vulnerability disclosure program. The profile also provides a framework for evaluating the specific requirements of the app category, which can be applied based on the functions contained in the app. For example, an IoT app only needs to certify under the profile of the mobile application, while a VPN app has to match the profile of the mobile application and the VPN extension.
Certification enables developers to demonstrate product safety, and we are excited about the opportunity to use this standard to advance the industry. We found that app developers were very quick to resolve issues identified in their black box ratings using this new standard, often with turnarounds within a few days. The following apps were certified at the start: Comcast, ExpressVPN, GreenMAX, Hubspace, McAfee Innovations, NordVPN, OpenVPN for Android, private internet access, VPN Private and the Google One app, including VPN from Google One.
We look forward to the adoption of the standard growing over time and allowing app developers who are already investing in security best practices to highlight their efforts. The standard also serves as a guide to inspire more developers to invest in mobile app security. To learn more about the ioXt Alliance and your app’s certification, visit https://compliance.ioxtalliance.org/sign-up and read Android’s guidelines for building secure apps here.