Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/11/2011
01:31 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Getting A Jump On Mobile App Security

OWASP, Veracode, others to pinpoint top mobile threats, best practices for writing more secure mobile apps

More than a decade of playing catch-up in desktop and Web application security could help give mobile applications a leg up in security: Security researchers are moving quickly to instill secure coding know-how for developers of mobile applications and to indoctrinate enterprises on the risks posed by these tools that run on smartphones and other mobile computing devices popping up in enterprises.

"I'm hoping we don't see what happened in the PC world replicated on the iPhone or Android ... We have the opportunity to not let that happen," says Chris Wysopal, CTO at Veracode. Wysopal, a.k.a. "Weld Pond" from his days in the L0pht hacker think tank, says the time is now to address the security of mobile applications. "We have the capability of doing it right this time."

Wysopal has been working with OWASP, the Web application security group, to come up with a Top 10 list of mobile risks and controls. Wysopal, with input from mobile security provider Lookout Security, already had come up with his own list late last year, the "Mobile App Top 10 List" of mobile threats. The goal was to create an industry standard for classifying malicious activity and vulnerabilities in mobile devices.

"Chris' list gives a more holistic view of mobile risks, while ours is focused on addressing risks from an application development perspective," says Mike Zusman, co-project leader for the OWASP Mobile Security Project and managing principal consultant with the Intrepidus Group.

OWASP's draft of its Top 10 Mobile Risks, still a work-in-progress, currently lists insecure or unnecessary client-side data storage as No. 1, followed by lack of data protection in transit; personal data leakage; lack of strong authentication to protect resources; not using least-privilege authorization; client-side injection; client-side denial-of-service; malicious third-party code; client-side buffer overflow; and failure to apply server-side controls.

This project -- a departure from OWASP's Web application security focus -- is a sign of the times, with mobile computing taking hold and OWASP now tackling mobile application security as well. "There is a need for security guidance and leadership in the mobile application development space, and OWASP is in a great position to fill this need," Zusman says.

Jack Mannino, co-project leader for the OWASP Mobile Security Project, points to the overlap between Web apps and mobile app technologies. "Mobile applications make heavy use of Web services, client-side databases, and Web browser components. There are also entire mobile development frameworks based on JavaScript, HTML, and CSS. Fortunately, there is quite a bit of established knowledge in these areas, making OWASP an excellent organization to help promote secure mobile development practices," says Mannino, CEO and founder of nVisium Security. "What we are doing certainly does venture away from what OWASP is known for, but at the same time has enough overlap for it to make sense."

Wysopal's Mobile App Top 10 List is aimed at providing mobile users with a measuring stick for mobile security offerings, as well as threats and vulnerabilities for mobile app developers to look out for when writing their tools. The list is broken into two categories: malicious functionality and vulnerabilities.

The malicious risk is when an app contains unwanted or "dangerous behaviors," according to Wysopal. A user downloads what he thinks is a utility, but the app actually contains spyware or unauthorized premium dialing functions, for example. These risks include activity monitoring and data retrieval; unauthorized dialing, SMS, and payments; unauthorized network connectivity for exfiltration of data or command and control; user interface impersonation; system modification, such as a rootkit; and a logic or time bomb, according to Wysopal's list.

The vulnerabilities in apps include sensitive data leakage; unsafe storage of sensitive data; unsafe transmission of data; and hard-coded passwords/keys, according to the list. "The Top 10 is to make people aware like the OWASP Top 10 [Web application security risks]. If you're building a Web app or outsourcing it to someone to build, you want to make sure during the development process that you've done due diligence to make sure you [or they] are testing for the OWASP Top 10. Mobile apps are another place where apps have access to enterprise data, so ... there should be a similar concept" for ensuring the apps are secure, Wysopal says.

Wysopal says it's a "living list," and hopes it can help developers and enterprises.

Kevin Mahaffey, CTO of Lookout, says even skilled developers writing apps for mobile platforms can write apps containing vulnerabilities. "Anecdotally, whenever I talk to security folks at large companies responsible for developing mobile apps, software products or [for] financial institutions, one trend I see is a lack of best practices," Mahaffey says. Best practices for writing secure mobile apps goes a long way to producing more secure apps, he says.

Among the main mobile threats Lookout is spotting today in the wild are malware and spyware, malicious websites, and lost and stolen smartphones. "Spyware and targeted attacks are the most prevalent. We do see malicious apps, too, in prepackaged versions of legitimate apps," Mahaffey says. Phishing attacks are common, using malicious websites, he says.

But perhaps the biggest problem is lost or stolen phones. "There's so much information on the phone -- lost smartphones are going to be a huge [threat] vector for 2012," he says.

Veracode, meanwhile, also expanded its cloud-based mobile app scanning service this week, adding support for Google's Android (this quarter) and Apple's iOS (in the second quarter); the company already provides security verification for RIM BlackBerry and Microsoft Windows Mobile apps.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14540
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-16332
PUBLISHED: 2019-09-15
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
CVE-2019-16333
PUBLISHED: 2019-09-15
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
CVE-2019-16334
PUBLISHED: 2019-09-15
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
CVE-2019-16335
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.