More Apps Mean More Security Woes - InformationWeek
IoT
IoT
Mobile
Commentary
5/9/2011
03:54 PM
Adam Ely
Adam Ely
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

More Apps Mean More Security Woes

You're not a player unless you play in the mobile space, but if you play insecurely, users may pass you by.

Mobile applications and technology are hot. The iPad was being asset-tagged and added to the corporate network the day it was released. But new platforms bring apps, which in turn bring technology management and security worries. Concern, discussion, and thought surround mobile application security and where we're heading, now that there's an app for everything.

My good friend and security industry colleague Rafal Los (whom I call Raf for short, and since you and I are friends you can too) recently published some of his thoughts on mobile application security on Hewlett-Packard's Application Security Community site. When it comes to application security in general, I agree with Raf's thoughts. To summarize, he points out that a lot of mobile application functionality is driven by server-side code, which takes us back to Web application security practices. When focusing on mobile applications you can't forget about the server-side calls, and if your Web application security practices are in place, you're that much ahead of the game.

I agree with Raf in this context, but the problem of mobile applications is much broader. Let's take a look at the Skype-Android privacy vulnerability. It was found that Skype didn't properly secure instant messages and profile information stored on Android devices, and thus malicious apps, intruders, or anyone who gained enough access to your handset could access these files. This is a problem of the application developers not securing the files, and now Skype developers must fix the oversight and release new code, and users must upgrade. See the statement by Skype in its blog and notice that it attempts to turn attention away from its mistake and focus on the user installing a malicious application. The company could have just said it's in good company since Citibank had a similar flaw. This highlights an area where Web application security practices and the security of the server-side infrastructure don't always protect the user, device, and data.

On top of insecure client-side storage and server-side Web application security, mobile applications must ensure that network transports are secure, since users roam between open wireless networks and are prone to GSM attacks, and AT&T gives the National Security Agency direct network access. (Call me paranoid, but I live next to the building where the secret NSA spying room was found, and Citibank's iPhone app was found to have insecurities.)

I am preparing a report on the state of mobile application security in order to provide insight and practical tips to IT and development teams that are under the gun to develop applications for their companies. In the “there's an app for that” society, you're not a player unless you play in the mobile space. If you play insecurely, though, users may pass you by. We'd like to hear from you on problems, tips, and concerns surrounding mobile application security. Email me at aely@nwc.com or send me a message @adamely on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Success = Storage & Data Center Performance
Balancing legacy infrastructure with emerging technologies requires laying a solid foundation that delivers flexibility, scalability, and efficiency. Learn what the most pressing issues are, how to incorporate advances like software-defined storage, and strategies for streamlining the data center.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll