May 9, 2011
Mobile applications and technology are hot. The iPad was being asset-tagged and added to the corporate network the day it was released. But new platforms bring apps, which in turn bring technology management and security worries. Concern, discussion, and thought surround mobile application security and where we're heading, now that there's an app for everything.
My good friend and security industry colleague Rafal Los (whom I call Raf for short, and since you and I are friends you can too) recently published some of his thoughts on mobile application security on Hewlett-Packard's Application Security Community site. When it comes to application security in general, I agree with Raf's thoughts. To summarize, he points out that a lot of mobile application functionality is driven by server-side code, which takes us back to Web application security practices. When focusing on mobile applications you can't forget about the server-side calls, and if your Web application security practices are in place, you're that much ahead of the game. I agree with Raf in this context, but the problem of mobile applications is much broader. Let's take a look at the Skype-Android privacy vulnerability. It was found that Skype didn't properly secure instant messages and profile information stored on Android devices, and thus malicious apps, intruders, or anyone who gained enough access to your handset could access these files. This is a problem of the application developers not securing the files, and now Skype developers must fix the oversight and release new code, and users must upgrade. See the statement by Skype in its blog and notice that it attempts to turn attention away from its mistake and focus on the user installing a malicious application. The company could have just said it's in good company since Citibank had a similar flaw. This highlights an area where Web application security practices and the security of the server-side infrastructure don't always protect the user, device, and data. On top of insecure client-side storage and server-side Web application security, mobile applications must ensure that network transports are secure, since users roam between open wireless networks and are prone to GSM attacks, and AT&T gives the National Security Agency direct network access. (Call me paranoid, but I live next to the building where the secret NSA spying room was found, and Citibank's iPhone app was found to have insecurities.) I am preparing a report on the state of mobile application security in order to provide insight and practical tips to IT and development teams that are under the gun to develop applications for their companies. In the “there's an app for that” society, you're not a player unless you play in the mobile space. If you play insecurely, though, users may pass you by. We'd like to hear from you on problems, tips, and concerns surrounding mobile application security. Email me at [email protected] or send me a message @adamely on Twitter.
About the Author(s)
You May Also Like