Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Get to Know Mobile Application Security Engineering

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe the distinctions between application development and application security.
  • Identify the security challenges that app developers face.
  • List key skills relevant to mobile appsec engineers.

Application Development vs. Application Security

Not all mobile application (app) developers are mobile application security (appsec) engineers and vice versa. While each one may have a background in the other, the expectations of the roles are different. An app developer's typical responsibilities include coding, designing, managing, troubleshooting, monitoring for updates and possible security threats, and providing end user support for apps.

On the other hand, as a mobile appsec engineer, you set security controls and design requirements during the software creation and development stage of the software development lifecycle (SDLC). You also help perform threat modeling and risk assessment of apps. You test mobile apps using a variety of tools to ensure security issues are resolved before the apps are made public. You also monitor mobile apps after their release to identify and resolve any new or previously undetected security vulnerabilities. 

The Appsec Dilemma

The development process is often focused on getting an app to market quickly and building new features, not necessarily on security. What’s more, organizations may have a limited budget dedicated to securing their mobile apps. Additionally, many organizations do not scan or test the code in their mobile apps for security vulnerabilities, unintentional usage, or hidden functionalities. 

Another challenge is that developers may be unaware of the underlying platform they are working with. To properly secure a mobile app, mobile app developers need to be aware of all the underlying mechanisms that provide mobile app resources—and their limitations. 

Another hurdle to securing mobile apps is that the apps may be overly broad in the permissions they ask for, and users may not think to question this. For example, does a weather app on your phone really need access to your camera or microphone? For what purpose? Excessive permissioning in an app creates an expanded attack surface. The more information an app collects that is not relevant to its purpose, the more likely a user is sharing potentially sensitive data unnecessarily.

What’s more, after releasing a mobile app into production, the work is not done. New vulnerabilities arise daily, and even the most reputable software libraries require security updates. You must stay aware and communicate with your users in order to quickly identify and resolve new security issues. The good news is that today, appsec knowledge is one skill that can distinguish developers in the job market.

Mobile Appsec Key Skills

The industry for mobile app development and security continues to grow as mobile devices become the center of communication and work. The increased importance of cyber resilience for mobile devices and apps has increased the demand for experienced mobile appsec engineers. 

Developing secure mobile apps involves applying a set of activities throughout the entire SDLC. It requires collaboration on app conceptualization for security by design, outside-the-box thinking to anticipate threats, and so much more. If you’re someone with technical knowledge who aspires to enjoy a prosperous future in the tech industry, polishing your mobile appsec skills might be the best option for you.

If you like to automate tasks using software, enjoy identifying security bugs and flaws, and are interested in performing code reviews, you’ll likely excel in this role. Mobile appsec engineers help mobile app developers design secure mobile apps from scratch while expertly performing security assessments and code reviews. They also implement security tools and techniques to protect deployed mobile apps. Though there are no specific minimum qualifications to start your career in mobile appsec, it’s a plus to have a technical background. 

A mobile appsec engineer with different icons around them symbolizing the skills necessary to excel in this career

Education

A bachelor’s degree or a diploma in computer science or some sort of technical training is valuable in this career path.

Experience

Having general programming experience and software or web development experience is helpful. You should be highly proficient in engineering custom-built Android and iOS apps that incorporate essential and custom-tailored business requirements. You should understand regulatory standards and guidelines so that your custom apps can be published and distributed in tech companies’ app stores.

Certifications

Pursuing a certification is a great idea for this field. Certifications that address the secure software lifecycle, secure software programming, web application defense, and more allow you to skill up and get your foot in the door. Here are some common certifications for mobile appsec engineers. 

Certification

Description

Certified Secure Software Lifecycle Professional (CSSLP)

Validates that software professionals have the expertise to incorporate security practices into each phase of the SDLC

GIAC Secure Software Programmer (GSSP-.NET)

Validates a practitioner’s knowledge, skills, and abilities to write secure code and recognize security shortcomings in existing code

GIAC Web Application Defender (GWEB)

Demonstrates mastery of the security knowledge needed to deal with common web app errors that lead to most security problems

GIAC Mobile Device Security Analyst (GMOB)

Prepares you to effectively evaluate the security of mobile devices, assess and identify flaws in mobile apps, and conduct a mobile device penetration test (pentest)

Secure Software Practitioner (SSP)

Provides the skills needed to write more secure software code, reduce vulnerabilities, and enhance the overall security posture of an organization's software products

Knowledge

Working as a mobile appsec engineer involves several skill sets. You should have development skills on the Android or iOS platforms, and exposure to static and dynamic mobile appsec analysis concepts. It’s also a wise idea to be aware of protocol and network analysis. 

Additionally, you should have experience in authentication and encryption methods, including OAuth and public key infrastructure (PKI). You should also have knowledge of The Open Web Application Security Project (OWASP) Mobile Top 10 and threat modeling. Programming language skills, computer proficiency, back-end computing, user interface (UI) design, mobile cross-platform development, and product management are also all important topics to be familiar with. In addition, you should enjoy actively seeking new programming knowledge, have experience with agile methodologies, and possess analytical skills.

Note

The back end refers to parts of a computer application required for operation and that cannot be accessed by a user. Examples of back-end processes include: processing an incoming request, running code to generate HyperText Markup Language (HTML) on the server, and accessing data from a database using a query language. 

Business Skills

A huge part of success as a mobile appsec engineer involves using business skills to help you understand the customer’s vision and how best to provide the functionality they want in a secure manner. In addition to product management, design, writing, and communication skills, having attention to detail is crucial for this role.

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching term on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Great work!

Sum It Up

In this module, you’ve been introduced to the mobile appsec landscape. You’ve learned more about the prevalence of mobile appsec. You’ve also discovered the responsibilities, skills, and qualifications of a mobile appsec engineer. In the next module, Mobile Application Security Implementation you learn how to implement mobile appsec and test mobile apps. Interested in learning more about cybersecurity roles and hearing from security professionals? Check out the Cybersecurity Learning Hub on Trailhead.

Resources

Comparta sus comentarios sobre Trailhead en la Ayuda de Salesforce.

Nos encantaría conocer su experiencia con Trailhead. Ahora puede acceder al nuevo formulario de comentarios cuando quiera desde el sitio de la Ayuda de Salesforce.

Más información Continuar para compartir comentarios