90% of the 100 most downloaded finance and health apps had a minimum of two OWASP Mobile Top 10 Risks after going through mobile app security testing. This is a shocking percentage, more so given the guidelines for secure app development and data transmission put in place by the PCI Security Standards Council and HIPAA.

The following is a breakdown of what needs to done at a high level to meet PCI standards for anyone who develops a mobile payment app, either in-house or for another organisation. This reflects the advice from the PCI Security Standards Council, Visa, and our own experience of mobile app security testing apps with payment functionality.

Develop mobile payment apps based on the PCI secure coding guidelines

This sounds a bit obvious, however, this is where the problem starts. The failure to write secure code introduces vulnerabilities and exposes customer account data to theft.

1. Anyone developing a mobile payment app needs to demonstrate secure development and maintenance.
2. These measures require documentation, training of developers, and monitoring of output as confirmation.
3. The security measures require periodic assessment of the app for vulnerabilities. This includes assessments such as: static analysis, code review, surveying vulnerability information available in the public domain, and testing.
4. The absolute minimum for mobile app security testing of PCI compliance requires mitigation of vulnerabilities listed under CWE/SANS top 25 Most Dangerous Software Errors.
5. Any discovered vulnerabilities need to be assessed, reported, and mitigated as soon as possible.

Secure updates for mobile payments apps according to PCI

Agile development processes are great for getting new features to users, however, updates are often the point where new vulnerabilities creep in and undo any of the ground work from trying to develop a secure app.

6. The update process needs to ensure confidentiality, integrity, server authentication and protection against replay by using an appropriate security protocol. Devices need to be set to authenticate and, if need be, reject updates. Make sure to do mobile app security testing for updates.
7. The app developer needs to make clear the guidance available for updating deployed applications to other devs, system integrators, and end-users.
8. The security measures ought to cover the process for updating applications, certificates and keys.
9. The security measures need to outline the responsibilities of application developers, system integrators and the end users of the platform.
10. Updates need to be issued as soon as possible to keep ahead of any vulnerabilities or exploits present.

As the developer of a mobile payment app it is also necessary to ensure that the application is able to test for signs of privilege escalation by the end user or any malware that may be present. In addition, devs ought to assume that the shared storage on a consumer’s mobile device is untrusted and take steps to ensure that information does not leak between applications.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing in under a minute try out Codified Security.