12 Ways to Develop Secure Windows Phone Applications

Windows Phone (WP) 8 and 8.1 are arguably two of the most secure mobile operating systems on the market at present.

In contrast to other mobile operating systems, such as iOS and Android, WP8 and 8.1 devices have not been publicly vulnerable to a long string of jailbreaking and security vulnerabilities.

Nonetheless, security is still a crucial consideration when writing a Windows Phone application.

This checklist sets out the key steps for implementing secure Windows Phone apps:

Encrypt all sensitive data, whether stored in databases or other file formats

Follow industry-standard cryptography practices and, preferably, use AES-256

Apply sensible cryptography key management principles; for example, use PBKDF2 and enforce a reasonably strict password complexity policy

Use a secure random data source when needed (i.e. RNGCryptoServiceProvider)

Attempt to wipe keys and passwords from memory, via a best-effort approach, when they are no longer required

Avoid SQL injection in apps that use SQLite-derived databases

Implement secure network communications via SSL/TLS

Take care to avoid cross-site scripting and script injection bugs

Ensure that XML parsing doesn’t resolve DTDs, unless this functionality is specifically required by your app

xmlDoc.validateOnParse=”false”;

Try to clear web cache and cookies when they’re no longer needed

Apply native code secure coding guidelines to avoid traditional bugs, such as buffer overflows

Build your native modules with exploit mitigation features enabled

The Mobile Application

Hacker’s Handbook

by Dominic Chell, Tyrone Erasmus, Shaun Colley, and Ollie Whitehouse

Learn to analyze and write secure Windows Phone applications with