2.4.11 Mobile Application
This section's intended audience is for those personnel who are responsible for the security of the IoT Product or Services Mobile Application. Guidance is available from the IoTSF [ref 44]1 regarding Application Security (part E) and Credential Management (part F).
Req No | Requirement | Compliance Class And Applicability | Primary Keyword | Secondary Keyword |
---|---|---|---|---|
2.4.11.1 | Where an application’s user interface password is used for login authentication, the initial password or factory reset password is unique to each device in the product family. | Mandatory for all classes | System | Software |
2.4.11.2 | Password entry follows industry standard practice. | Mandatory for all classes | System | Software |
2.4.11.3 | The mobile application ensures that any related databases or files are either tamper resistant or restricted in their access. Upon detection of tampering of the databases or files, they are re-initialised. | Mandatory for Class 1 and above | System | Software |
2.4.11.4 | Where the application communicates with a product related remote server(s), or device, it does so over a secure connection. | Mandatory for Class 1 and above | System | Software |
2.4.11.5 | The product securely stores any passwords using an industry standard cryptographic algorithm. | Mandatory for Class 1 and above | System | Software |
2.4.11.6 | Where passwords are entered on a user interface, the actual pass phrase is obscured by default to prevent the capture of passwords. | Mandatory for Class 1 and above | System | Software |
2.4.11.7 | All data being transferred over interfaces should be validated where appropriate. This could include checking the data type, length, format, range, authenticity, origin and frequency. | Mandatory for Class 1 and above | System | Software |
2.4.11.8 | Secure Administration Interfaces; It is important that configuration management functionality is accessible only by authorised operators and administrators. Enforce Strong Authentication over administration interfaces, for example, by using certificates. | Mandatory for Class 1 and above | System | Software |
2.4.11.9 | All application inputs and outputs are validated using for example an allowed-list containing authorised origins of data and valid attributes of such data. | Mandatory for Class 1 and above | System | Software |
2.4.11.10 | Mobile Apps should be developed using best practice secure coding techniques and server frameworks. | Mandatory for Class 1 and above | System | Software |
2.4.11.11 | App interface should provide a simple method (one to two clicks) to initiate any security update to the end device. | Mandatory for Class 1 and above | System | Software |
2.4.11.12 | Access to device functionality via a network/web browser interface in the initialized state should only be permitted after successful Authentication using current best practice secure cryptographic modules. | Mandatory for Class 1 and above | System | Software |
2.4.11.13 | Any personal data communicated between the mobile app and the device shall be encrypted. Where the data includes sensitive personal data then the encryption must be appropriately secure. | Mandatory for Class 1 and above | System | Software |
Footnotes
-
Enhanced Privacy standard for Anonymous Signatures ISO/IEC20008 [https://www.iso.org/standard/57018.html] ↩