Mobile apps have been around for a few years now. We’ve passed the stage when they are just for fun and games – anyone up for some Angry Birds? – and are now for serious business use. There are mobile apps for practically every business function you can think of. Lately I’ve been talking to the people at viaForensics, a security consulting firm that applies forensics proactively to identify security problems in applications. They tell me they are uncovering security problems left and right in different mobile apps and on a variety of mobile platforms. For example, the company has uncovered man-in-the-middle attacks against PayPal; significant issues with residual data in Google Wallet; and problems with mobile banking apps. Given that these applications in particular deal with people’s money, there is no margin for error when it comes to app security.
Andrew Hoog , viaForensics chief investigative officer, says it’s a real challenge to write secure mobile apps. Sometimes developers rely on the security that’s built into the mobile device or platform, and that’s simply not enough.
“If you rely on the system’s built-in security, then you’re creating an application that is vulnerable to attack,” he says.” If you have sensitive data, you have to work within certain constraints on the system, but you have to do more.”
In order to write a really secure mobile app, you have to take a holistic view of the app. Hoog says most developers aren’t doing this. The fact is, mobile devices aren’t like any other kind of computing platform. While a smart phone or tablet might look like a smaller version of a PC, and it might connect to the Internet via a browser, it isn’t the same. For instance, mobile devices have a special kind of memory that is designed to prolong the life of the device. This memory makes a device hang on to information as long as it possibly can because the memory has limited read/write capabilities. As a result, information that is written to the phone’s memory is almost always recoverable — even if the developer thinks it has been deleted. (This is one of the vulnerabilities viaForensics discovered in its analysis of with Google Wallet.)
viaForensics has developed a chart that shows “the Anatomy of a Mobile Attack (see figure).” The chart shows all of the areas where an application could be vulnerable to attack or data loss. The main areas are the browser, the phone, the app itself, malware, the network, the Internet and the back-end web server and database.
With so many areas of vulnerability, it’s not hard to see why creating a truly secure application isn’t an easy chore. That’s why viaForensics has just published its list of best practices for secure mobile app development. The valuable lessons in this free document come from hundreds of engagements viaForensics has had with its clients, primarily testing applications via a forensics analysis service called appSecure. If you have anything to do with creating mobile applications, or know anyone who does, you need to read this compilation of best practices. Just becoming aware of typical failure areas is the first step to creating more secure mobile apps.