Building in mobile application security isn’t easy:
Follow best practices to secure apps up front

Mobile apps have been around for a few years now. We’ve passed the stage when they are just for fun and games  – anyone up for some Angry Birds?  – and are now for serious business use. There are mobile apps for practically every business function you can think of. Lately I’ve been talking to the people at viaForensics, a security consulting firm that applies forensics proactively to identify security problems in applications. They tell me they are uncovering security problems left and right in different mobile apps and on a variety of mobile platforms. For example, the company has uncovered man-in-the-middle attacks against PayPal; significant issues with residual data in Google Wallet; and problems with mobile banking apps. Given that these applications in particular deal with people’s money, there is no margin for error when it comes to app security.

Andrew Hoog , viaForensics chief investigative officer,  says it’s a real challenge to write secure mobile apps. Sometimes developers rely on the security that’s built into the mobile device or platform, and that’s simply not enough.

“If you rely on the system’s built-in security, then you’re creating an application that is vulnerable to attack,” he says.” If you have sensitive data, you have to work within certain constraints on the system, but you have to do more.”

In order to write a really secure mobile app, you have to take a holistic view of the app. Hoog says most developers aren’t doing this. The fact is, mobile devices aren’t like any other kind of computing platform. While a smart phone or tablet might look like a smaller version of a PC, and it might connect to the Internet via a browser,  it isn’t the same. For instance, mobile devices have a special kind of memory that is designed to prolong the life of the device. This memory makes a device hang on to information as long as it possibly can because the memory has limited read/write capabilities. As a result, information that is written to the phone’s memory is almost always recoverable — even if the developer thinks it has been deleted. (This is one of the vulnerabilities viaForensics discovered in its analysis of with Google Wallet.)

viaForensics has developed a chart that shows “the Anatomy of a Mobile Attack (see figure).” The chart shows all of the areas where an application could be vulnerable to attack or data loss. The main areas are the browser, the phone, the app itself, malware, the network, the Internet and the back-end web server and database.

With so many areas of vulnerability, it’s not hard to see why creating a truly secure application isn’t an easy chore. That’s why viaForensics has just published its list of best practices for secure mobile app development. The valuable lessons in this free document come from hundreds of engagements viaForensics has had with its clients, primarily testing applications via a forensics analysis service called appSecure. If you have anything to do with creating mobile applications, or know anyone who does, you need to read this compilation of best practices. Just becoming aware of typical failure areas is the first step to creating more secure mobile apps.

Bookmark and Share
Linda Musthaler

About Linda Musthaler

Linda Musthaler is a principal analyst with Essential Solutions Corp. She is a 30-year veteran of the IT industry. Linda has been a regular contributor to Network World magazine for nearly two decades, writing a regular opinion column as well as in-depth feature stories. She currently writes the weekly electronic newsletter Network World IT Best Practices, which has more than 30,000 subscribers worldwide. Over the years, Linda has written for numerous business and IT industry journals. Through Network World she has published buyer’s guides which analyze the markets for various business technologies and assist buyers in identifying the issues and trends that affect their purchase decisions. Linda has worked many different aspects of the computing industry. She started as a computer programmer and has held positions in end user support, systems administration, network implementation, software sales, product evaluations, business requirements analysis, and product and event marketing.

One thought on “Building in mobile application security isn’t easy:
Follow best practices to secure apps up front

  1. Pingback: Building in mobile application security isn't easy: Follow best … - Web Design, Web Development, SEO – Amrithaa

Leave a Reply

Your email address will not be published. Required fields are marked *

*


× nine = 72

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>