Application development collection

Created:  09 May 2018
Application development
Recommendations for the secure development, procurement and deployment of generic and platform-specific applications.

This guidance provides advice on how to minimise the loss of data from applications running on devices handling sensitive data. It is primarily for risk assessors and application developers, and contains recommendations for the secure developmentprocurement and deployment of generic and platform-specific applications.

  • We recommend that you read the generic application development guidance in full, before you read the platform-specific guidance.
  • Note that the NCSC does not provide services for the assessment of third-party applications; organisations must undertake this work on an individual, per-application basis


About this guidance

This guidance will help you to:

  • ensure sensitive data is protected appropriately when stored and transmitted
  • minimise the opportunity for accidental data leakage across application boundaries
  • ensure only authorised parties can access sensitive information
  • maximise the usability of applications whilst maintaining security in the development phase
  • restrict access to sensitive data to those applications designed to handle such material in a secure manner

In achieving these goals, the following assumptions are made:

  • devices are configured in line with the NCSC End User Device guidance
  • devices could have other third-party applications installed
  • devices will be in a locked state if lost or stolen
  • attackers can gain total control of devices (such as through jailbreaking/rooting) or otherwise gaining administrative privileges

In addition, the following principles are followed throughout:

  • applications that store, process, handle, or have network access to sensitive information should be developed with security in mind from the start, and should be audited and assessed before use
  • use the functionality of modern platforms to enhance the security of applications (this is the focus of the platform-specific guidance)
  • if sensitive information is stored using the platform’s native functionality, then third-party applications may be able to access that information
  • the specific data that applications can access (and the constraints are involved) must be understood with respect to each platform’s security model


  1. Generic application development guidance

    Recommendations for the secure development, procurement and deployment of generic applications.

  2. Android application development guidance

    Recommendations for the secure development, procurement and deployment of Android applications.

  3. Apple iOS application development guidance

    Recommendations for the secure development, procurement and deployment of Apple iOS applications. 

  4. Windows application developer guidance

    Recommendations for the secure development, procurement and deployment of Windows applications.

Was this guidance helpful?

We need your feedback to improve this content.

Yes No