informa
News

Secure Coding Practices Out The Window With Mobile Apps

Developers not applying secure development life cycle practices in mobile app production
With every business from the tiniest SMB to the largest enterprise looking to plant its flag in the ground with regard to mobile applications, the mobile app development boom is on in a very big way. Amid this blind rush to beat the competition to the market, mobile developers are feeling their way around in the dark -- and with a development environment still in its infancy and no real standards to lead the way, it's an adventure for all parties involved.

Particularly scary to many security professionals is the fact that the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps.

"Rapid and Agile Development causes changes to happen in very short iterations, thus security gets overlooked and becomes a nice thing to do but rarely gets done. This happens at large corporations -- look at Google Wallet and, even worse, startups," says Tyler Rorabaugh, director of engineering at application security firm Cenzic. "When TechCrunch announces the hottest new startup of the day, week, month, almost every single one of those companies lack the secure coding practices and are rarely even concerned until something goes wrong. Most of the time they are not even aware of these issues."

According to Rorabaugh, big mobile platform vendors like Apple and Google have only just now started to think about secure mobile coding and "have mainly been interested more in looking the other way."

The difficulty is that even for established firms that are aware of their risks and want to securely code their mobile apps, there are few standards for development and very few tools for testing code for vulnerabilities.

"Some of our clients are developing mobile applications to be introduced to their customers, and we are doing reviews of those to make sure they're secure before they get rolled out," says Scott Laliberte, managing director with security consulting firm Protiviti. "That has required us to rethink our application-testing methodologies because testing mobile apps is quite a bit different than testing normal applications. Identifying the key risks and the technologies you need to use to test it properly is a challenge, and lack of standards is another big challenge."

As a result, mobile applications are already starting to flood the market with major vulnerabilities that put customers and business resources at risk. For example, Rorabaugh says mobile apps developers aren't testing the mobile services that mobile apps are using in the cloud and are introducing a whole spate of encryption flaws through their apps, such as leaving unencrypted passwords in data cache files. In fact, last August, digital forensics and security firm viaForensics reported that 76 percent of popular consumer applications running on Android and iOS devices stored passwords in plain text

"Local apps are storing too much data on phones in a nonencrypted format," Rorabaugh says, explaining that even if passwords are encrypted, now attackers "have all of your other information, like Social Security number and credit card information."

OWASP has been working on mobile app security. OWASP's Mobile Security Project aims to offer developers and security teams tools and resources for writing and supporting secure mobile apps. The Project includes a threat model, training, and platform-specific guidelines.

But meanwhile, mobile app vulnerabilities are showing signs of growing pains. Google Wallet, for example, was shown in a different viaForensics report in December to be storing all sensitive information except for credit cards locally on the devices in plain text.

And just today, news hit the wire that an engineering employee at Web categorization vendor zvelo easily cracked the PIN at Google Wallet on rooted smartphones.

As organizations release applications that tap into more sensitive information and tap into payment systems like Google Wallets does, they need to be mindful of the inherent risks, Rorabaugh says.

"Don’t skip security just because you need a release ASAP; rather, look at the places where you can be most liable or at risk," he says. He encourages organizations to test both the client and services portion of the mobile application using a combination of both dynamic and static testing technology and both internal and external test teams.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: