Dan Cornell (US) - Four Security Concerns Enterprises Developing Mobile Applications Must Address

The availability of advanced smartphone and tablet platforms has created opportunities for organizations to develop new classes of applications in support of their customers and employees. The integration of technologies such as cameras, GPS location and audio recording as well as access to network resources allows organizations to build innovative solutions that exceed the bounds of what was previously possible. However, this additional capability comes with added risk. As sensitive data and operations move from servers to mobile devices, there is a greater opportunity for data breaches and the exposure of other security vulnerabilities. Enterprises developing mobile applications must therefore address a variety of issues when deploying custom mobile applications such as:

1. Sensitive data stored on devices - The portability that makes mobile devices such an attractive development platform also makes the storage of sensitive data much more challenging because devices are prone to loss or theft. Sensitive data stored on devices is likely to be compromised in these circumstances because attackers who recover devices have unfettered access to the hardware. Even encrypted data on devices may be at risk because of application key handling and data storage issues.

2. Failure to protect network communications - Mobile devices often find themselves communicating over a variety of wireless networks that can include carrier networks and both malicious and benign WiFi networks. As a result, sensitive data passed in the clear across these networks can be subject to sniffing and capture.

3. Reliance on client-side security controls to protect server-side assets - Attackers typically have the ability to gain access to running mobile applications on jailbroken or rooted devices as well as applications binaries. They can use this access to identify network services in use by those applications. Then they have the ability to bypass the use of the application and attack the network services directly. If network services are deployed in support of mobile applications without server-side protections such as authentication and authorization they can be attractive targets for exploitation by malicious attackers.

4. Exposure of sensitive intellectual property - When attackers gain access to mobile application binaries they may have the ability to reverse engineer those binaries and trace application logic. Sensitive algorithms or other intellectual property embedded in mobile applications can then be exposed.

Organizations building and fielding mobile applications for their customers and employees should proactively address the associated risks. Practices such as integrating threat modeling into the software development lifecycle can help to identify potential issues during the design stage of application development and minimize costly post-deployment remediation. Developer security training can be particularly valuable for mobile application developers who may not be versed in secure design and development practices and may also be developing applications for unfamiliar platforms with unknown security characteristics. Security testing for mobile applications and their associated server-side infrastructure is also an important check to make sure security efforts during design and development were successful. Finally having appropriate monitoring and incident management capabilities can help alert organizations to attacks in progress as well as help them respond to vulnerability reports in an organized manner. By addressing security concerns for mobile applications in a proactive manner, organizations can both reap the benefits of creating new and innovative applications without exposing themselves to undue risk.

Further information about security for mobile applications can be found at www.smartphonesdumbapps.com. The site contains videos, presentation slides and links to example code for analyzing the security of mobile applications.

Dan Cornell is the Co-Founder and Chief Technology Officer of Denim Group. Follow Dan on Twitter @danielcornell.


« Charles Clarke (Australia) Consumer Mindset Driving Back Office Evolution


John Richardson (UK) - The Role of Managed Services in the Downturn »


Do you think your smartphone is making you a workaholic?