Skip to main content
EMS Software, LLC

Mobile Device Security

  1. Are regularly scheduled updates and patches deployed via the appropriate mobile device App Store?
    Yes.
  2. Has a thorough line by line source code review of the app been performed?
    Yes.
  3. Has the app been reviewed against external (OWASP) secure development standards?
    Only informally.
  4. Does the application encode all output functions?
    App does not encode anything, decodes data from the mobile API as necessary
  5. If the application is a webview, does it embed a random value into the HTML form to protect against CSRF attacks?
    The application is not a webview.
  6. Where is the app source code development located? Are these locations supplier owned facilities or outsourced/3rd Party locations?
    Supplier owned.
  7. Where is the app technical support is located? Are these supplier owned facilities or outsourced/3rd Party locations?
    Supplier-Owned location.
  8. Are all error messages and unhandled exceptions handled gracefully?
    Yes.
  9. If the application is a webview do you implement any Clickjacking protection?
    Application is not a webview.
  10. Are event log monitoring controls in place to monitor access and events by all users?
    The app stores logs internally; logs are not shipped off the device unless the user opts to do so.
  11. If the application utilizes cookies, are they set to secure? Is it encrypted?
    The app does not utilize cookies.
  12. What are the application session management configurations (Client and Server)?
    EMS parameters can be set to control the expiration of the mobile API token.
  13. On application session time outs, does the application discard and clear all memory associated with user data; and any master keys used to decrypt the data?
    Yes.
  14. Does the application/server log failed Logon attempts (Identify the number of failed attempts)?
    No.
  15. Does the application handle excessive failed attempts at authentication by locking out the user? 
    No.
  16. What is password reset policy?
    App does not enforce a password reset policy
  17. What is the application's authentication and authorization model?
    Authorization is through web process templates in client; Authentication
  18. Does the application store credentials on the device?  If so are the credentials stored within the operating system secure store?
    App stores a token for access to the mobile API, it is stored securely.
  19. Does the application support Biometrics?
    No.
  20. Does the application only collect and disclose data which is required for business use of the application?
    Need more information.
  21. Does the application persist non-public data short term (session only)?
    No
  22. Does the application persist non-public data long term? 
    No.
  23. Does the application validate all input at the client? 
    Yes.
  24. Does the server validate all input coming from the client?
    Yes.
  25. Describe the applications Key Management/Rotation policy? 
    Not sure what this is, need more info.
  26. If the application utilizes SMS/MMS/Push Notification services; does the application only send user agnostic information?
    Does not utilize any of those
  27. Does the application restrict copy/paste on sensitive fields?
    Yes.
  28. Does the application restrict printing?
    No.
  29. Does the application mask/obfuscate the screen on backgrounding/app switching?
    No.
  30. Does the app include any sensitive customer or account data within any event logs?
    Token for the API is logged occasionally, but this is being worked on.
  31. If crash logs are leveraged are they transmitted securely and not in plain text? 
    User must opt to copy/paste them. These logs are plain text at the time of copy/paste.
  32. Is there a process in place to ensure debug logs are disabled in the production version of the app?
    No, all logs are enabled all the time currently.
  33. Does the application capture/log the devices UUID? 
    Only when the user opts to remember the device during two-factor authentication.
  34. Does the application capture/log the devices geolocation/tracking data?
    Yes.
  35. Are sensitive fields such as credentials marked as secure so they are not cached in plain text on the device or transmitted insecurely to an unauthorized party?
    Yes.
  36. Is the app coded to release system resources such as cached RAM memory; or data in memory when the application is closed or otherwise not in use?
    No.
  37. Does the application transmit all data securely?
    No, we strongly recommend that you use SSL.
  38. Does the application only request the permissions needed for the scope of the application?
    Yes.
  39. Are all system calls implemented securely and follow platform guidance on implementation (e.g. Intents; APIs; RESTful Services; etc?)?
    Yes.
  40. Does the application server detect if the connection is not HTTPS with every request when it is known that the connection should be HTTPS (SSL Strip)?
    No, the app allows bot HTTP and HTTPS.
  41. Does the application leverage certificate pinning?
    No.
  42. Does the application validate redirects and forwards?
    NA.
  43. Are file uploads validated and restricted against file type and upload size?
    No file uploads occur.
  44. Does the application access data from/to a third party?
    No.
  45. If the application leverages third party libraries is there a process in place to vet the security of those libraries?
    No.
  46. Does the application capture/log the device's UUID?
    Only when the user opts to remember the device during two-factor authentication.