Getting A Jump On Mobile App Security

More than a decade of playing catch-up in desktop and Web application security could help give mobile applications a leg up in security: Security researchers are moving quickly to instill secure coding know-how for developers of mobile applications and to indoctrinate enterprises on the risks posed by these tools that run on smartphones and other mobile computing devices popping up in enterprises.

"I'm hoping we don't see what happened in the PC world replicated on the iPhone or Android ... We have the opportunity to not let that happen," says Chris Wysopal, CTO at Veracode. Wysopal, a.k.a. "Weld Pond" from his days in the L0pht hacker think tank, says the time is now to address the security of mobile applications. "We have the capability of doing it right this time."

Wysopal has been working with OWASP, the Web application security group, to come up with a Top 10 list of mobile risks and controls. Wysopal, with input from mobile security provider Lookout Security, already had come up with his own list late last year, the "Mobile App Top 10 List" of mobile threats. The goal was to create an industry standard for classifying malicious activity and vulnerabilities in mobile devices.

"Chris' list gives a more holistic view of mobile risks, while ours is focused on addressing risks from an application development perspective," says Mike Zusman, co-project leader for the OWASP Mobile Security Project and managing principal consultant with the Intrepidus Group.

OWASP's draft of its Top 10 Mobile Risks, still a work-in-progress, currently lists insecure or unnecessary client-side data storage as No. 1, followed by lack of data protection in transit; personal data leakage; lack of strong authentication to protect resources; not using least-privilege authorization; client-side injection; client-side denial-of-service; malicious third-party code; client-side buffer overflow; and failure to apply server-side controls.

This project -- a departure from OWASP's Web application security focus -- is a sign of the times, with mobile computing taking hold and OWASP now tackling mobile application security as well. "There is a need for security guidance and leadership in the mobile application development space, and OWASP is in a great position to fill this need," Zusman says.

Jack Mannino, co-project leader for the OWASP Mobile Security Project, points to the overlap between Web apps and mobile app technologies. "Mobile applications make heavy use of Web services, client-side databases, and Web browser components. There are also entire mobile development frameworks based on JavaScript, HTML, and CSS. Fortunately, there is quite a bit of established knowledge in these areas, making OWASP an excellent organization to help promote secure mobile development practices," says Mannino, CEO and founder of nVisium Security. "What we are doing certainly does venture away from what OWASP is known for, but at the same time has enough overlap for it to make sense."

Wysopal's Mobile App Top 10 List is aimed at providing mobile users with a measuring stick for mobile security offerings, as well as threats and vulnerabilities for mobile app developers to look out for when writing their tools. The list is broken into two categories: malicious functionality and vulnerabilities.

The malicious risk is when an app contains unwanted or "dangerous behaviors," according to Wysopal. A user downloads what he thinks is a utility, but the app actually contains spyware or unauthorized premium dialing functions, for example. These risks include activity monitoring and data retrieval; unauthorized dialing, SMS, and payments; unauthorized network connectivity for exfiltration of data or command and control; user interface impersonation; system modification, such as a rootkit; and a logic or time bomb, according to Wysopal's list.

The vulnerabilities in apps include sensitive data leakage; unsafe storage of sensitive data; unsafe transmission of data; and hard-coded passwords/keys, according to the list. "The Top 10 is to make people aware like the OWASP Top 10 [Web application security risks]. If you're building a Web app or outsourcing it to someone to build, you want to make sure during the development process that you've done due diligence to make sure you [or they] are testing for the OWASP Top 10. Mobile apps are another place where apps have access to enterprise data, so ... there should be a similar concept" for ensuring the apps are secure, Wysopal says.

Wysopal says it's a "living list," and hopes it can help developers and enterprises.

Kevin Mahaffey, CTO of Lookout, says even skilled developers writing apps for mobile platforms can write apps containing vulnerabilities. "Anecdotally, whenever I talk to security folks at large companies responsible for developing mobile apps, software products or [for] financial institutions, one trend I see is a lack of best practices," Mahaffey says. Best practices for writing secure mobile apps goes a long way to producing more secure apps, he says.

Among the main mobile threats Lookout is spotting today in the wild are malware and spyware, malicious websites, and lost and stolen smartphones. "Spyware and targeted attacks are the most prevalent. We do see malicious apps, too, in prepackaged versions of legitimate apps," Mahaffey says. Phishing attacks are common, using malicious websites, he says.

But perhaps the biggest problem is lost or stolen phones. "There's so much information on the phone -- lost smartphones are going to be a huge [threat] vector for 2012," he says.

Veracode, meanwhile, also expanded its cloud-based mobile app scanning service this week, adding support for Google's Android (this quarter) and Apple's iOS (in the second quarter); the company already provides security verification for RIM BlackBerry and Microsoft Windows Mobile apps.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.