Skip to main content

2.4.11 Mobile Application

This section's intended audience is for those personnel who are responsible for the security of the IoT Product or Services Mobile Application. Guidance is available from the IoTSF [ref 44]1 regarding Application Security (part E) and Credential Management (part F).

Req NoRequirementCompliance Class And ApplicabilityPrimary KeywordSecondary Keyword
2.4.11.1Where an application’s user interface password is used for login authentication, the initial password or factory reset password is unique to each device in the product family.Mandatory for all classesSystemSoftware
2.4.11.2Password entry follows industry standard practice.Mandatory for all classesSystemSoftware
2.4.11.3The mobile application ensures that any related databases or files are either tamper resistant or restricted in their access. Upon detection of tampering of the databases or files, they are re-initialised.Mandatory for Class 1 and aboveSystemSoftware
2.4.11.4Where the application communicates with a product related remote server(s), or device, it does so over a secure connection.Mandatory for Class 1 and aboveSystemSoftware
2.4.11.5The product securely stores any passwords using an industry standard cryptographic algorithm.Mandatory for Class 1 and aboveSystemSoftware
2.4.11.6Where passwords are entered on a user interface, the actual pass phrase is obscured by default to prevent the capture of passwords.Mandatory for Class 1 and aboveSystemSoftware
2.4.11.7All data being transferred over interfaces should be validated where appropriate. This could include checking the data type, length, format, range, authenticity, origin and frequency.Mandatory for Class 1 and aboveSystemSoftware
2.4.11.8Secure Administration Interfaces; It is important that configuration management functionality is accessible only by authorised operators and administrators. Enforce Strong Authentication over administration interfaces, for example, by using certificates.Mandatory for Class 1 and aboveSystemSoftware
2.4.11.9All application inputs and outputs are validated using for example an allowed-list containing authorised origins of data and valid attributes of such data.Mandatory for Class 1 and aboveSystemSoftware
2.4.11.10Mobile Apps should be developed using best practice secure coding techniques and server frameworks.Mandatory for Class 1 and aboveSystemSoftware
2.4.11.11App interface should provide a simple method (one to two clicks) to initiate any security update to the end device.Mandatory for Class 1 and aboveSystemSoftware
2.4.11.12Access to device functionality via a network/web browser interface in the initialized state should only be permitted after successful Authentication using current best practice secure cryptographic modules.Mandatory for Class 1 and aboveSystemSoftware
2.4.11.13Any personal data communicated between the mobile app and the device shall be encrypted. Where the data includes sensitive personal data then the encryption must be appropriately secure.Mandatory for Class 1 and aboveSystemSoftware

Footnotes

  1. Enhanced Privacy standard for Anonymous Signatures ISO/IEC20008 [https://www.iso.org/standard/57018.html]