Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:31 PM
Connect Directly

Getting A Jump On Mobile App Security

OWASP, Veracode, others to pinpoint top mobile threats, best practices for writing more secure mobile apps

More than a decade of playing catch-up in desktop and Web application security could help give mobile applications a leg up in security: Security researchers are moving quickly to instill secure coding know-how for developers of mobile applications and to indoctrinate enterprises on the risks posed by these tools that run on smartphones and other mobile computing devices popping up in enterprises.

"I'm hoping we don't see what happened in the PC world replicated on the iPhone or Android ... We have the opportunity to not let that happen," says Chris Wysopal, CTO at Veracode. Wysopal, a.k.a. "Weld Pond" from his days in the L0pht hacker think tank, says the time is now to address the security of mobile applications. "We have the capability of doing it right this time."

Wysopal has been working with OWASP, the Web application security group, to come up with a Top 10 list of mobile risks and controls. Wysopal, with input from mobile security provider Lookout Security, already had come up with his own list late last year, the "Mobile App Top 10 List" of mobile threats. The goal was to create an industry standard for classifying malicious activity and vulnerabilities in mobile devices.

"Chris' list gives a more holistic view of mobile risks, while ours is focused on addressing risks from an application development perspective," says Mike Zusman, co-project leader for the OWASP Mobile Security Project and managing principal consultant with the Intrepidus Group.

OWASP's draft of its Top 10 Mobile Risks, still a work-in-progress, currently lists insecure or unnecessary client-side data storage as No. 1, followed by lack of data protection in transit; personal data leakage; lack of strong authentication to protect resources; not using least-privilege authorization; client-side injection; client-side denial-of-service; malicious third-party code; client-side buffer overflow; and failure to apply server-side controls.

This project -- a departure from OWASP's Web application security focus -- is a sign of the times, with mobile computing taking hold and OWASP now tackling mobile application security as well. "There is a need for security guidance and leadership in the mobile application development space, and OWASP is in a great position to fill this need," Zusman says.

Jack Mannino, co-project leader for the OWASP Mobile Security Project, points to the overlap between Web apps and mobile app technologies. "Mobile applications make heavy use of Web services, client-side databases, and Web browser components. There are also entire mobile development frameworks based on JavaScript, HTML, and CSS. Fortunately, there is quite a bit of established knowledge in these areas, making OWASP an excellent organization to help promote secure mobile development practices," says Mannino, CEO and founder of nVisium Security. "What we are doing certainly does venture away from what OWASP is known for, but at the same time has enough overlap for it to make sense."

Wysopal's Mobile App Top 10 List is aimed at providing mobile users with a measuring stick for mobile security offerings, as well as threats and vulnerabilities for mobile app developers to look out for when writing their tools. The list is broken into two categories: malicious functionality and vulnerabilities.

The malicious risk is when an app contains unwanted or "dangerous behaviors," according to Wysopal. A user downloads what he thinks is a utility, but the app actually contains spyware or unauthorized premium dialing functions, for example. These risks include activity monitoring and data retrieval; unauthorized dialing, SMS, and payments; unauthorized network connectivity for exfiltration of data or command and control; user interface impersonation; system modification, such as a rootkit; and a logic or time bomb, according to Wysopal's list.

The vulnerabilities in apps include sensitive data leakage; unsafe storage of sensitive data; unsafe transmission of data; and hard-coded passwords/keys, according to the list. "The Top 10 is to make people aware like the OWASP Top 10 [Web application security risks]. If you're building a Web app or outsourcing it to someone to build, you want to make sure during the development process that you've done due diligence to make sure you [or they] are testing for the OWASP Top 10. Mobile apps are another place where apps have access to enterprise data, so ... there should be a similar concept" for ensuring the apps are secure, Wysopal says.

Wysopal says it's a "living list," and hopes it can help developers and enterprises.

Kevin Mahaffey, CTO of Lookout, says even skilled developers writing apps for mobile platforms can write apps containing vulnerabilities. "Anecdotally, whenever I talk to security folks at large companies responsible for developing mobile apps, software products or [for] financial institutions, one trend I see is a lack of best practices," Mahaffey says. Best practices for writing secure mobile apps goes a long way to producing more secure apps, he says.

Among the main mobile threats Lookout is spotting today in the wild are malware and spyware, malicious websites, and lost and stolen smartphones. "Spyware and targeted attacks are the most prevalent. We do see malicious apps, too, in prepackaged versions of legitimate apps," Mahaffey says. Phishing attacks are common, using malicious websites, he says.

But perhaps the biggest problem is lost or stolen phones. "There's so much information on the phone -- lost smartphones are going to be a huge [threat] vector for 2012," he says.

Veracode, meanwhile, also expanded its cloud-based mobile app scanning service this week, adding support for Google's Android (this quarter) and Apple's iOS (in the second quarter); the company already provides security verification for RIM BlackBerry and Microsoft Windows Mobile apps.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the va...
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead...
PUBLISHED: 2021-04-14
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.