Security tips for mobile app developers
FIPS 140-2 compliance for mobile apps applies to multiple solutions involving mobile apps. As it relates to data at rest encryption, FIPS 140-2 cryptographic modules are often mandated by federal and civilian government entities for any mobile app handling sensitive data. Many government agencies require that all data encryption (including data at rest, in transit and in use) use cryptographic algorithms and modules that have undergone FIPS-140-2 certification.
Mobile data-at-rest encryption
I’ve talked about the need for mobile data-at-rest encryption for mobile apps before. And there are a bunch of great articles related to this topic such as Jason Cipriani’s commentary on CNET, What you need to know about encryption on your phone and Andrew Cunningham’s piece for Ars Technica, Phone and laptop encryption guide: Protect your stuff and yourself if you are interested in getting some additional background.
But for now, I want to focus on data at rest encryption implemented with FIPS. This may be an important issue for you, if like many mobile app developers, you are being tasked with demonstrating that your app is indeed compliant with FIPS as outlined in the NIST standards for data at rest encryption.
What is FIPS
FIPS or the Federal Information Processing Standards are public standards built by the US federal government. FIPS standards cover a wide range of requirements across security and interoperability. More specifically, FIPS 140 is focused on specific requirements for cryptography modules. The current version of this standard is FIPS 140-2. You’ll hear people in the security industry refer to FIPS as: FIPS, 140, FIPS 140 and FIPS 140-2. Most of the time these are all in reference to FIPS 140-2. Because many public and private sector organizations require that FIPS-compliant cryptography modules be used, Appdome has some choices within the fusion process that can be selected with FIPS in mind.
How Appdome implements FIPS 140-2 compliance for mobile apps
When fusing an app with Appdome you may decide to select data at rest encryption for one of your security options. When this is done, you can further select the FIPS 140-2 encryption modules if you desire. By selecting this option your app will apply FIPS-approved encryption to your app for data at rest. In addition to applying data at rest encryption to the app, which is always a best practice, you can now also demonstrate that your app is indeed compliant with these NIST standards as they relate to data at rest encryption and that your app is leveraging FIPS 140-2 cryptographic Modules.
Look no further than the U.S. Navy, who uses Appdome to secure their MyNavyPortal mobile app to understand the value of no-code mobile security. Read the direct quote below from the senior U.S. Navy Program Manager in charge of the app delivery to understand how important encryption of sensitive data is in mobile apps, and also to underscore just how critical Appdome is in helping mobile developers achieve secure outcomes immediately in a standardized and repeatable manner – all without coding.
Thanks for reading! This blog is part of a series focused on security tips for mobile application developers. While it’s not intended to be an exhaustive analysis of security issues or Fusion, it’s my intent to use this blog series as a platform to help mobile application developers become more security-aware. I hope you found this information useful.