APPL-13

If mobile, is the application available from a trusted source (e.g., App Store, Google Play Store)?

Explanation

This question is asking whether your mobile application is distributed through official, trusted app distribution platforms like Apple's App Store or Google's Play Store, rather than through alternative methods. Why this matters for security: 1. App stores perform security reviews and malware scanning before allowing apps to be published 2. App stores enforce code signing requirements that verify the authenticity of the app 3. App stores provide a controlled update mechanism to ensure users receive security patches 4. Users are trained to trust these official channels and be suspicious of apps from other sources 5. Sideloading apps (installing from outside official stores) bypasses these security controls This question helps assessors understand if your organization follows standard security practices for mobile app distribution. If you distribute your app through unofficial channels, it raises concerns about the app's integrity, the update process, and potential security vulnerabilities. When answering this question: - Specify which official app stores your mobile application is available from - If you use enterprise distribution methods (like Apple Enterprise Program), explain the controls in place - If you use alternative distribution methods, explain why and what security measures you've implemented - Select N/A only if you truly don't have a mobile application component

Guidance

Select N/A if there is no mobile version of your app.

Example Responses

Example Response 1

Yes, our mobile application is available exclusively through official trusted sources The iOS version is distributed through Apple's App Store, and the Android version is available on Google Play Store Both versions undergo the respective platform's security review processes before publication We maintain developer accounts in good standing with both platforms and follow their security guidelines for app submissions All app updates are pushed through these official channels to ensure users receive the latest security patches.

Example Response 2

Yes, our mobile application is primarily distributed through the Apple App Store for iOS users and Google Play Store for Android users Additionally, for our enterprise customers, we utilize Apple's Enterprise Developer Program and Android Enterprise to distribute specialized versions with enhanced security features These enterprise distribution methods still maintain the security benefits of code signing and controlled distribution, but allow us to provide custom functionality not appropriate for general public release We do not allow installation from unknown sources.

Example Response 3

No, our mobile application is not currently available from trusted sources like the App Store or Google Play Store Instead, we distribute our Android application as an APK file that users must sideload onto their devices, and our iOS application requires users to jailbreak their devices for installation We chose this approach because our application requires deep system access that would not be permitted by the official app stores' policies We recognize this creates security concerns, and we're working to redesign our application to comply with app store requirements by Q3 of this year In the meantime, we've implemented code signing and host our APK files on a secure server with TLS encryption and authentication requirements.

Context

Tab: Infrastructure
Category: Application/Service Security