12 ways to develop secure windows phone applications
TRANSCRIPT
12 Ways to Develop Secure Windows Phone Applications
Windows Phone (WP) 8 and 8.1 are arguably two of the most secure mobile operating systems on the market at present.
In contrast to other mobile operating systems, such as iOS and Android, WP8 and 8.1 devices have not been publicly vulnerable to a long string of jailbreaking and security vulnerabilities.
Nonetheless, security is still a crucial consideration when writing a Windows Phone application.
This checklist sets out the key steps for implementing secure Windows Phone apps:
Encrypt all sensitive data, whether stored in databases or other file formats
Follow industry-standard cryptography practices and, preferably, use AES-256
Apply sensible cryptography key management principles; for example, use PBKDF2 and enforce a reasonably strict password complexity policy
Use a secure random data source when needed (i.e. RNGCryptoServiceProvider)
Attempt to wipe keys and passwords from memory, via a best-effort approach, when they are no longer required
Avoid SQL injection in apps that use SQLite-derived databases
Implement secure network communications via SSL/TLS
Take care to avoid cross-site scripting and script injection bugs
Ensure that XML parsing doesn’t resolve DTDs, unless this functionality is specifically required by your app
xmlDoc.validateOnParse=”false”;
Try to clear web cache and cookies when they’re no longer needed
Apply native code secure coding guidelines to avoid traditional bugs, such as buffer overflows
Build your native modules with exploit mitigation features enabled
The Mobile Application
Hacker’s Handbook
by Dominic Chell, Tyrone Erasmus, Shaun Colley, and Ollie Whitehouse
Learn to analyze and write secure Windows Phone applications with