Google is shouting about a new standard designed to enhance baseline security across mobile applications.
The Mobile Application Profile is the work of the Internet of Secure Things Alliance (ioXt), a consortium of over 300 members including Google, Facebook, T-Mobile, Zigbee Alliance, Schneider Electric and many others.
“With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, and webcams, and since most smart devices are managed through apps, they have expanded coverage to include mobile apps with the launch of this profile,” explained Brooke Davis and Eugene Liderman of the Android Security and Privacy Team.
“The ioXt Mobile Application Profile provides a minimum set of commercial best practices for all cloud connected apps running on mobile devices. This security baseline helps mitigate against common threats and reduces the probability of significant vulnerabilities.”
According to the document itself, the Profile covers passwords, interfaces, cryptography, software updates, vulnerability reporting and security-by-default.
It was produced by ioXt in collaboration with over 20 industry players including Google and Amazon, labs such as NCC Group and Dekra, and automated mobile app security testing vendors like NowSecure.
It’s also based on existing frameworks like OWASP MASVS and the VPN Trust Initiative. Although mobile apps only need to be certified under the Mobile Application Profile, VPN apps must also comply with a specialized VPN extension.
“Certification allows developers to demonstrate product safety and we’re excited about the opportunity for this standard to push the industry forward,” noted Davis and Liderman.
“We observed that app developers were very quick to resolve any issues that were identified during their black box evaluations against this new standard, oftentimes with turnarounds in a matter of days.”
The duo encouraged more developers to get involved in the project and said it would help act as a “guiding light” to inspire more of the community to invest in mobile app security.