Google Trumpets New Mobile App Security Standard
Google is shouting about a new standard designed to enhance baseline security across mobile applications.
The Mobile Application Profile is the work of the Internet of Secure Things Alliance (ioXt), a consortium of over 300 members including Google, Facebook, T-Mobile, Zigbee Alliance, Schneider Electric and many others.
“With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, and webcams, and since most smart devices are managed through apps, they have expanded coverage to include mobile apps with the launch of this profile,” explained Brooke Davis and Eugene Liderman of the Android Security and Privacy Team.
“The ioXt Mobile Application Profile provides a minimum set of commercial best practices for all cloud connected apps running on mobile devices. This security baseline helps mitigate against common threats and reduces the probability of significant vulnerabilities.”
According to the document itself, the Profile covers passwords, interfaces, cryptography, software updates, vulnerability reporting and security-by-default.
It was produced by ioXt in collaboration with over 20 industry players including Google and Amazon, labs such as NCC Group and Dekra, and automated mobile app security testing vendors like NowSecure.
It’s also based on existing frameworks like OWASP MASVS and the VPN Trust Initiative. Although mobile apps only need to be certified under the Mobile Application Profile, VPN apps must also comply with a specialized VPN extension.