Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:31 PM
Connect Directly

Getting A Jump On Mobile App Security

OWASP, Veracode, others to pinpoint top mobile threats, best practices for writing more secure mobile apps

More than a decade of playing catch-up in desktop and Web application security could help give mobile applications a leg up in security: Security researchers are moving quickly to instill secure coding know-how for developers of mobile applications and to indoctrinate enterprises on the risks posed by these tools that run on smartphones and other mobile computing devices popping up in enterprises.

"I'm hoping we don't see what happened in the PC world replicated on the iPhone or Android ... We have the opportunity to not let that happen," says Chris Wysopal, CTO at Veracode. Wysopal, a.k.a. "Weld Pond" from his days in the L0pht hacker think tank, says the time is now to address the security of mobile applications. "We have the capability of doing it right this time."

Wysopal has been working with OWASP, the Web application security group, to come up with a Top 10 list of mobile risks and controls. Wysopal, with input from mobile security provider Lookout Security, already had come up with his own list late last year, the "Mobile App Top 10 List" of mobile threats. The goal was to create an industry standard for classifying malicious activity and vulnerabilities in mobile devices.

"Chris' list gives a more holistic view of mobile risks, while ours is focused on addressing risks from an application development perspective," says Mike Zusman, co-project leader for the OWASP Mobile Security Project and managing principal consultant with the Intrepidus Group.

OWASP's draft of its Top 10 Mobile Risks, still a work-in-progress, currently lists insecure or unnecessary client-side data storage as No. 1, followed by lack of data protection in transit; personal data leakage; lack of strong authentication to protect resources; not using least-privilege authorization; client-side injection; client-side denial-of-service; malicious third-party code; client-side buffer overflow; and failure to apply server-side controls.

This project -- a departure from OWASP's Web application security focus -- is a sign of the times, with mobile computing taking hold and OWASP now tackling mobile application security as well. "There is a need for security guidance and leadership in the mobile application development space, and OWASP is in a great position to fill this need," Zusman says.

Jack Mannino, co-project leader for the OWASP Mobile Security Project, points to the overlap between Web apps and mobile app technologies. "Mobile applications make heavy use of Web services, client-side databases, and Web browser components. There are also entire mobile development frameworks based on JavaScript, HTML, and CSS. Fortunately, there is quite a bit of established knowledge in these areas, making OWASP an excellent organization to help promote secure mobile development practices," says Mannino, CEO and founder of nVisium Security. "What we are doing certainly does venture away from what OWASP is known for, but at the same time has enough overlap for it to make sense."

Wysopal's Mobile App Top 10 List is aimed at providing mobile users with a measuring stick for mobile security offerings, as well as threats and vulnerabilities for mobile app developers to look out for when writing their tools. The list is broken into two categories: malicious functionality and vulnerabilities.

The malicious risk is when an app contains unwanted or "dangerous behaviors," according to Wysopal. A user downloads what he thinks is a utility, but the app actually contains spyware or unauthorized premium dialing functions, for example. These risks include activity monitoring and data retrieval; unauthorized dialing, SMS, and payments; unauthorized network connectivity for exfiltration of data or command and control; user interface impersonation; system modification, such as a rootkit; and a logic or time bomb, according to Wysopal's list.

The vulnerabilities in apps include sensitive data leakage; unsafe storage of sensitive data; unsafe transmission of data; and hard-coded passwords/keys, according to the list. "The Top 10 is to make people aware like the OWASP Top 10 [Web application security risks]. If you're building a Web app or outsourcing it to someone to build, you want to make sure during the development process that you've done due diligence to make sure you [or they] are testing for the OWASP Top 10. Mobile apps are another place where apps have access to enterprise data, so ... there should be a similar concept" for ensuring the apps are secure, Wysopal says.

Wysopal says it's a "living list," and hopes it can help developers and enterprises.

Kevin Mahaffey, CTO of Lookout, says even skilled developers writing apps for mobile platforms can write apps containing vulnerabilities. "Anecdotally, whenever I talk to security folks at large companies responsible for developing mobile apps, software products or [for] financial institutions, one trend I see is a lack of best practices," Mahaffey says. Best practices for writing secure mobile apps goes a long way to producing more secure apps, he says.

Among the main mobile threats Lookout is spotting today in the wild are malware and spyware, malicious websites, and lost and stolen smartphones. "Spyware and targeted attacks are the most prevalent. We do see malicious apps, too, in prepackaged versions of legitimate apps," Mahaffey says. Phishing attacks are common, using malicious websites, he says.

But perhaps the biggest problem is lost or stolen phones. "There's so much information on the phone -- lost smartphones are going to be a huge [threat] vector for 2012," he says.

Veracode, meanwhile, also expanded its cloud-based mobile app scanning service this week, adding support for Google's Android (this quarter) and Apple's iOS (in the second quarter); the company already provides security verification for RIM BlackBerry and Microsoft Windows Mobile apps.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.