Getting A Jump On Mobile App Security

  /     /     /  
Publicated : 22/11/2024   Category : security


Getting A Jump On Mobile App Security


OWASP, Veracode, others to pinpoint top mobile threats, best practices for writing more secure mobile apps



More than a decade of playing catch-up in desktop and Web application security could help give mobile applications a leg up in security: Security researchers are moving quickly to instill secure coding know-how for developers of mobile applications and to indoctrinate enterprises on the risks posed by these tools that run on smartphones and other mobile computing devices popping up in enterprises.
Im hoping we dont see what happened in the PC world replicated on the iPhone or Android ... We have the opportunity to not let that happen, says Chris Wysopal, CTO at Veracode. Wysopal, a.k.a. Weld Pond from his days in the L0pht hacker think tank, says the time is now to address the security of mobile applications. We have the capability of doing it right this time.
Wysopal has been working with OWASP, the Web application security group, to come up with a Top 10 list of mobile risks and controls. Wysopal, with input from mobile security provider Lookout Security, already had come up with his own list late last year, the
Mobile App Top 10 List
of mobile threats. The goal was to create an industry standard for classifying malicious activity and vulnerabilities in mobile devices.
Chris list gives a more holistic view of mobile risks, while ours is focused on addressing risks from an application development perspective, says Mike Zusman, co-project leader for the
OWASP Mobile Security Project
and managing principal consultant with the Intrepidus Group.
OWASPs draft of its Top 10 Mobile Risks, still a work-in-progress, currently lists insecure or unnecessary client-side data storage as No. 1, followed by lack of data protection in transit; personal data leakage; lack of strong authentication to protect resources; not using least-privilege authorization; client-side injection; client-side denial-of-service; malicious third-party code; client-side buffer overflow; and failure to apply server-side controls.
This project -- a departure from OWASPs Web application security focus -- is a sign of the times, with mobile computing taking hold and OWASP now tackling mobile application security as well. There is a need for security guidance and leadership in the mobile application development space, and OWASP is in a great position to fill this need, Zusman says.
Jack Mannino, co-project leader for the OWASP Mobile Security Project, points to the overlap between Web apps and mobile app technologies. Mobile applications make heavy use of Web services, client-side databases, and Web browser components. There are also entire mobile development frameworks based on JavaScript, HTML, and CSS. Fortunately, there is quite a bit of established knowledge in these areas, making OWASP an excellent organization to help promote secure mobile development practices, says Mannino, CEO and founder of nVisium Security. What we are doing certainly does venture away from what OWASP is known for, but at the same time has enough overlap for it to make sense.
Wysopals Mobile App Top 10 List is aimed at providing mobile users with a measuring stick for mobile security offerings, as well as threats and vulnerabilities for mobile app developers to look out for when writing their tools. The list is broken into two categories: malicious functionality and vulnerabilities.
The malicious risk is when an app contains unwanted or dangerous behaviors, according to Wysopal. A user downloads what he thinks is a utility, but the app actually contains spyware or unauthorized premium dialing functions, for example. These risks include activity monitoring and data retrieval; unauthorized dialing, SMS, and payments; unauthorized network connectivity for exfiltration of data or command and control; user interface impersonation; system modification, such as a rootkit; and a logic or time bomb, according to Wysopals list.
The vulnerabilities in apps include sensitive data leakage; unsafe storage of sensitive data; unsafe transmission of data; and hard-coded passwords/keys, according to the list. The Top 10 is to make people aware like the OWASP Top 10 [Web application security risks]. If youre building a Web app or outsourcing it to someone to build, you want to make sure during the development process that youve done due diligence to make sure you [or they] are testing for the OWASP Top 10. Mobile apps are another place where apps have access to enterprise data, so ... there should be a similar concept for ensuring the apps are secure, Wysopal says.
Wysopal says its a living list, and hopes it can help developers and enterprises.
Kevin Mahaffey, CTO of Lookout, says even skilled developers writing apps for mobile platforms can write apps containing vulnerabilities. Anecdotally, whenever I talk to security folks at large companies responsible for developing mobile apps, software products or [for] financial institutions, one trend I see is a lack of best practices, Mahaffey says. Best practices for writing secure mobile apps goes a long way to producing more secure apps, he says.
Among the main mobile threats Lookout is spotting today in the wild are malware and spyware, malicious websites, and lost and stolen smartphones. Spyware and targeted attacks are the most prevalent. We do see malicious apps, too, in prepackaged versions of legitimate apps, Mahaffey says. Phishing attacks are common, using malicious websites, he says.
But perhaps the biggest problem is lost or stolen phones. Theres so much information on the phone -- lost smartphones are going to be a huge [threat] vector for 2012, he says.
Veracode, meanwhile, also expanded its cloud-based mobile app scanning service this week, adding support for Googles Android (this quarter) and Apples iOS (in the second quarter); the company already provides security verification for RIM BlackBerry and Microsoft Windows Mobile apps.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Getting A Jump On Mobile App Security