Editor's Note: This is the first in a series of new blogs addressing mobile application security. Future installments by the author will address security threats posed by third-party apps and how to address them.
In 1996, my first cellphone provided me with 30 minutes of talk time for $29.99 a month, which I thought was a steal. Back then, little did I know that a few years later I would be focusing on helping organizations to secure applications that run from a "cellphone" and perform tasks such as banking, e-mail, credit card transactions, managing healthcare, etc. There's an app for practically anything you can think of - and a risk.
There's an app for practically anything you can think of - and a risk.
In a matter of 15 years, we have gone from a device that made and received calls to tiny computers in our pockets. There are more than 6 billion cellular subscriptions in the world, and 113 cellphones are lost or stolen in the U.S. every minute of every day.
At this early stage in mobile application development and security, I work primarily with large, global financial institutions, retailers and service providers that want to provide their customers with applications that are easy-to-use and always available on their mobile devices, while providing some assurance of the security and privacy of their data. It's critical to understand that these devices are not in the users' custody all of the time, and this increases the likelihood of them being lost or stolen. This enables an untrusted party to access an organization's data. In addition, mobile operating systems are relatively immature and contain well-documented vulnerabilities.
So, how do we provide mobile applications to our users that fulfill their need for immediate access, but also provide them with the assurance that their information is safe?
Mobile applications have threats, vulnerabilities and risks similar to those that are posed by typical web and client/server applications. However, due to the inherent nature of devices being small, smart and portable, mobile applications demand additional focus in protecting data from potential attackers. Here are four key areas to focus on when thinking about mobile application development and security.
Understand the Unique Threats
Mobile devices pose unique threats. Think for a minute about walking into a coffee shop and grabbing a large redeye or caramel macchiato and finding a seat next to a power supply. Next to it is someone with every gadget known to man. They get up to go get a refill, leaving all the gadgets sitting there, ready to be plucked by an unsavory character. What are the implications to your application that's sitting on one of his mobile devices? It would take less than a minute for the bad guy to access the device. It's highly likely, if not certain, there is data on the device that would compromise the victim's identity. As someone who frequents coffee shops in many parts of the country, I see people leave their devices unattended practically every day. We need to account for this risk, which leads to the next point.
Implement Strong Application Security at the Outset
Activities such as secure architecture and design reviews, threat modeling, secure code review and penetration testing have their place in providing great assurance that our applications have a great security posture. In way too many cases, I have seen mobile applications being rushed to market. As a result, all of our defined processes and procedures are shortened because being first-to-market seemed like the right thing to do. We know from experience that it is less expensive and faster to leverage our well-defined security activities, which are designed to prevent vulnerabilities in the first place.
Do Not Allow Sensitive Data to be Stored on Devices
Always store sensitive data on server-side systems and not on the mobile device. The chances of this data being lost or stolen is very high, and it should never be stored on the device without careful consideration and putting the proper controls into place. The reason is mobile devices accompany us on our excursions to work, home, the airport, coffee shops, restaurants and everywhere else we may go. Devices are frequently lost or stolen, which could lead to the loss of sensitive data if not properly secured.
Understand Mobile Operating Systems
There are many built-in "features" of mobile operating systems that may have an impact on how you should develop your applications. For instance, in Apple's iOS, a snapshot is taken of the current screen when an application is backgrounded. This snapshot is stored on the file system. Imagine if the screen shot contained sensitive data. This is just one of the many operating system features developers should understand.
Mobile device usage will continue to evolve and grow. Businesses are even starting development of mobile intranet applications. Between Google and Apple's respective application stores, there are close to 1.5 million mobile applications serving more than 25 billion downloads. The importance of securing our mobile applications will only intensify as the proliferation of mobile devices and applications overtake business. We need to take our time to create secure applications now to be one step ahead of what the next big mobile attack may be.
Lindner is the global practice manager, mobile application security services, for Aspect Security, a consulting firm based in Maryland that focuses exclusively on application security services and training for a worldwide clientele. He also serves as an OWASP Top Ten Mobile Project contributor and Mobile Testing Guide contributor.