If your system or application is mobile app based which security measures have been built into your code to avoid OWASP Top 10 mobile issues.

For reference see [Link].

Our app is built on top of the Cordova Framework which we upgrade regularly whenever new version are released. As such, our apps are just a website run locally on the device while interacting with our API’s. This also means that the only code we maintain is javascript/HTML/CSS.

  • M1 – Improper Platform Usage
    We only ask for the permissions we need. Currently that is internet connectivity, data storage, push notification, device id (used by push)
  • M2 – Insecure Data Storage
    We only store a user token for the logged in user. No PII og health data is stored locally on the device.
  • M3 – Insecure Communication
    We only connect over SSL/TLS (Grade A) to our API
  • M4 – Insecure Authentication
    The user token is validated at each request to our servers
  • M5 – Insufficient Cryptography
    See M3
  • M6 – Insecure Authorization
    See M3
  • M7 – Client Code Quality
    N/A
  • M8 – Code Tampering
    The code in the app can be tampered with by hooking the phone up to a standard Web Inspector or Chrome Browser as it is just a website. That doesn’t mean that it insecure – the security lies at the server-level API – just like a normal website
  • M9 – Reverse Engineering
    Yes, it can be reverse engineered just like a webpage. Therefore, no cryptographic constants and ciphers or intellectual property are stored in the app.
  • M10 – Extraneous Functionality
    We have a seperate process for building and testing the app in debug mode to ensure that no extraneous functions are not needed.