Security precautions for mobile business applications
By ForHacSec.com columnist – Fergal Glynn at Veracode.com
Mobile applications have become one of the hottest trends, but this has come at a price. The sharp rise in popularity means businesses are rushing their apps to the market, while security has taken a back seat. Neither the developers, nor the app stores, test web applications before offering them to the public and this comes with a whole host of side effects. When you consider that an estimated 50% of all smartphone users connect their phones to a corporate network, this is disastrous.
At the source of the issue is the failure for developers and businesses to remember security is not a feature; it is a process. Think of a mobile device like a bag with holes in it and the information it contains are priceless diamonds. It’s overflowing and it’s your job to keep them protected and in the bag.
Phone security is divided into four separate sections called the Security Stack. The top layers rely on the lower ones for their security. Think of it like a tower made of blocks.
Infrastructure Layer – At the bottom of the stack is the infrastructure layer. This is generally managed by the infrastructure provider (mobile carrier), but it also includes the integration between the infrastructure and the handset.
Hardware Layer – This layer is the equipment used to operate the system and access the infrastructure. Often referred to as the firmware, it is upgraded and controlled by the device’s manufacturer.
Operating System Layer – The operating system layer works between the applications and the hardware. It’s generally upgraded and maintained by the device manufacturer. This layer is often targeted by attackers.
Application Layer – This layer contains all the programs users interact with, and therefore, it contains all the running processes running on the operating system. These are installed before and after shipping. Both manufacturers and users can install these programs. However, this is also where issues such as bad data usage and storage, poor cryptographic algorithms, buffer overflows, and other flaws appear.
Get familiar with application flaws
The first step towards creating secure mobile business applications is to know what the threats are. Resources like Common Attack Pattern Enumeration and Classification (CAPEC) and OWASP are good places to start. Once you know what the dangers are, you can prevent them right from the planning stage.
Don’t make the mistake of thinking developers are the only ones who need to think about mobile code security. It should be a main concern right from the planning stage through to maintenance, and involve everyone from the hosting company to the distributor.
Follow standards and generally accepted practices
There are no actual set of standards you have to satisfy to gain market approval, but there are some best practices and individual sets of standards you can follow to increase the security of your mobile business application.
Materials you might want to check out include things like Extensible Access Control Markup Language (XACML), PCI Security Standards, and phone-specific standards such as MSN’s guide for Windows phones.
Mobile applications have different concerns and requirements
The risks associated with mobile applications are similar to those that affect desktop applications, but their unique set of communication functionalities create an additional set of risks and concerns to consider.
Security weaknesses for mobile applications typically fall into two major categories:
Malicious functionality. These are generally installed via a Trojan application which mimics a game or utility application. Within this application is spyware, phishing UI or unauthorized premium dialing. This can involve the following functions:
- Activity monitoring
- Data retrieval
- Unauthorized dialing
- Unauthorized SMS messages
- Unauthorized payments
- Unauthorized network connections through exfiltration or command and control
- False User Interfaces
- System modifications such as rootkits or APN proxy configs
- Logic or time bomb.
Vulnerabilities. These involve errors in design and implementation, caused, in part, in a rush to market in order to take advantage of popular trends. These errors subject users to interception and information retrieval by attackers, and provide an opportunity for information leaks from the device to unauthorized access. They include:
- Inadvertent or side channel data leakage
- Poor data storage
- Unsafe data transmission
- Hardcoded passwords and/or keys.
Test, test and test
Regardless how you choose to do it, you need to thoroughly test applications for security flaws. However, don’t forget the other layers in the security stack. Each layer has a series of security mechanisms in place to protect users and the security of their layers. So, see how these can help make your mobile business application more secure or if they sufficiently meet the needs of your application.
Mobile web applications aren’t something you can release and forget about. Security and the dangers users face are always changing, so be sure to monitor, maintain, and update your application regularly to keep everyone safe.