HKCert
Security Guideline

Best Practice Guide (SSL Implementation) for Mobile App Development

Release Date: 14 / 09 / 2015
Last Update: 05 / 10 / 2015

Mobile platform is increasingly become a choice for delivering services. As more sensitive data and transaction data will be transported on mobile communication channels, the security risks associated with untrusted communication, such as public Wi-Fi have to be addressed, for example, fraudster can set up a fake Wi-Fi access point and fake Secure Sockets Layer (SSL) certificates to conduct man-in-the-middle (MITM) attack to capture sensitive data.

 

Secure Sockets Layer / Transport Layer Security (SSL/TLS) has been widely used for authentication and encryption. However, if it is implemented via mobile apps, users have not got the same transparency of SSL as in the browser where visual alerts can be given (a colour padlock icon indicator shown in the address bar). The quality of SSL/TLS implementation in mobile app is thus crucial to detect and deny MITM attacks.

 

According to the Data Protection Principles – Security (DPP4) under the Personal Data (Privacy) Ordinance, if data is involved personal data (privacy), mobile app owners and companies are required to take all reasonably practicable steps to implement security precautions, the level of which should be commensurate with the seriousness of the potential harm that could result from a data breach. Mobile app developers also have responsibility to protect the transferring data and provide a secure environment against MITM attack to mobile users.

 

Hong Kong Computer Emergency Response Team (HKCERT) and Professional Information Security Association (PISA) have compiled the “Best Practice Guide (SSL Implementation) for Mobile App Development” to help apps owners and developers to improve apps security. This document mentions common practices which help mobile application developers to handle SSL connection with appropriate ways to provide secure channel between mobile app and server and also prevent from MITM attack.

 

 

[Download]