General protection principles

Paying attention to the general protection principles below increases security in mobile software.

Prevention

Prevention is the key component in security threat management. Over the past few years, the approach to security has shifted from reactive to proactive, meaning that prevention is increasingly important. However, the reactive component is still necessary because security levels degrade over time due to information corruption, new attack methods and viruses, etc.

By intercepting security breaches before they even happen you can create potentially safe applications and systems. However, even the most secure solutions may have weaknesses, so you should never place your trust in only one method.

Control

If a security incident is about to happen, it is still possible to minimize and isolate damage with control of events and strong internal borders. By dividing the system or software into sufficiently small units, it is easier to control and manage security features. Division also helps to isolate infections within a single unit.

Another useful control feature is the minimum rights principle, wherein each unit is given only the minimum rights to complete its tasks. Controls can be imposed by authenticating and authoring all traffic between units, and by limiting access rights of unidentified parties. These techniques can be applied from a single software component to an entire business system.

From Symbian OS v9.1 onwards, platform security implements control of events inside the operating system and creates borders for different security areas (for example, by means of data caging and server protection). Platform security also implements the minimum rights principle.

Additionally, there are third-party security applications such as antivirus software, firewalls, and intrusion detection systems that provide good protection against hostile attacks when combined with strict policies.

Testing and validation

Even the strongest security systems may have vulnerabilities which are not apparent until the application or product is in use. Software complexity and combinations of different technologies are known to increase the chance of software flaws. Software usually functions properly even when it is not secure. This is why extensive testing and validation are needed during development. The purpose of security testing is to find errors and flaws that may jeopardize the security and integrity of information stored in the mobile device.

Traditional testing validates software against specifications, but security testing studies behavior and possible side effects in different environments. For example, white hat hacking attempts to identify vulnerabilities before malicious (black hat) hackers do. Common areas for security testing include user interfaces, information storage, communications, and the software's internal security (for example, algorithms, robustness, recovery).

To have a complete evaluation of security features and risks, it is important to perform a full security analysis for every published version of an application.