You're not a player unless you play in the mobile space, but if you play insecurely, users may pass you by.
Mobile applications and technology are hot. The iPad was being asset-tagged and added to the corporate network the day it was released. But new platforms bring apps, which in turn bring technology management and security worries. Concern, discussion, and thought surround mobile application security and where we're heading, now that there's an app for everything.
My good friend and security industry colleague Rafal Los (whom I call Raf for short, and since you and I are friends you can too) recently published some of his thoughts on mobile application security on Hewlett-Packard's Application Security Community site. When it comes to application security in general, I agree with Raf's thoughts. To summarize, he points out that a lot of mobile application functionality is driven by server-side code, which takes us back to Web application security practices. When focusing on mobile applications you can't forget about the server-side calls, and if your Web application security practices are in place, you're that much ahead of the game.
I agree with Raf in this context, but the problem of mobile applications is much broader. Let's take a look at the Skype-Android privacy vulnerability. It was found that Skype didn't properly secure instant messages and profile information stored on Android devices, and thus malicious apps, intruders, or anyone who gained enough access to your handset could access these files. This is a problem of the application developers not securing the files, and now Skype developers must fix the oversight and release new code, and users must upgrade. See the statement by Skype in its blog and notice that it attempts to turn attention away from its mistake and focus on the user installing a malicious application. The company could have just said it's in good company since Citibank had a similar flaw. This highlights an area where Web application security practices and the security of the server-side infrastructure don't always protect the user, device, and data.
On top of insecure client-side storage and server-side Web application security, mobile applications must ensure that network transports are secure, since users roam between open wireless networks and are prone to GSM attacks, and AT&T gives the National Security Agency direct network access. (Call me paranoid, but I live next to the building where the secret NSA spying room was found, and Citibank's iPhone app was found to have insecurities.)
I am preparing a report on the state of mobile application security in order to provide insight and practical tips to IT and development teams that are under the gun to develop applications for their companies. In the “there's an app for that” society, you're not a player unless you play in the mobile space. If you play insecurely, though, users may pass you by. We'd like to hear from you on problems, tips, and concerns surrounding mobile application security. Email me at email@example.com or send me a message @adamely on Twitter.
InformationWeek Elite 100Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?