Implementation and Security Evaluation of User-Customized Content in a Mobile Application

Sammanfattning: Companies offering a service application targeting a broad audience often have difficulties meeting all user requirements since many users have unique needs. Allowing users to define and create content for service applications themselves, which addresses their specific needs, would be a welcomed solution. This would allow developers to focus on the main aspects of the service application, whereas the users themselves can include individual end-user aspects. User-customized content can be used as a selling point for the companies and opens up possibilities for providing a better user experience for each unique end user. This thesis describes the process of creating a prototype system that provides a solution for including user-customized content in a mobile application service system. First, we describe requirement elicitation followed by design and the actual implementation. Furthermore, security is a frequent topic whenever a digital application is discussed today. Therefore, the system creation process is followed up with an investigation of how the resulting application security aspect can be evaluated. After investigating different possibilities, a security evaluation case study on the application is performed. The results show a functioning system that allows customers to customize the content that is rendered inside a cross-platform mobile application. The results from the security evaluation investigation also show that the Open Web Application Security Project (OWASP) Mobile Security Testing Guide (MSTG) framework can be adapted and used for security evaluation of a cross-platform mobile application, even though it targets native applications. The resulting system satisfies most of the requirements for the targeted security level but does not satisfy all requirements for a normal production level mobile application according to the OWASP Mobile Application Security Verification Standard (MASVS). However, the results indicate that there is potential to reach the desired security level by adapting the system to use pure React Native with some native code additions.