4 Tips to Improve Mobile App SecurityForce a Change in How Your Organization Secures Applications
There are over 1.5 million applications available in public mobile app stores. This number doesn't take into account the hundreds of applications within organizations that are available to internal personnel.
With organizations racing to be the first-to-market with the latest, coolest app, they are forgetting something critically important: applying security principles in the development and deployment. We must ensure that our mobile application projects put security at the forefront and not forget about it entirely.
We must ensure that our mobile application projects put security at the forefront.
With the utmost certainty, I can state, unequivocally, that every mobile device has an insecure application. New apps are being downloaded at stunning speed - faster and more than at any time in history. During Christmas week, 2012, 1.76 billion apps were downloaded from the Apple App Store and the Google Play Store and 50 million new iOS and Android mobile devices were activated.
How to Know What You Don't Know
Many organizations have the foresight to provide continuous training to their development staff so that they may reliably produce better, secure code. Educational options such as in-person, hands-on training via eLearning solutions are beneficial, and we are starting to see certain types of vulnerabilities crop up less often.
On average, it costs $1,000 to find a vulnerability and $4,000 to fix it. It's much more cost-effective to teach developers how to build security in at the outset. Certain classes of vulnerabilities, such as SQL Injection, were first discovered over a decade ago, yet continue to be pervasive. With better education and training, developers should be able to eradicate certain vulnerabilities from their organizations and not have the same issues crop up repeatedly.
While mobile development isn't any different from other application development efforts, it isn't treated the same. On average, we discover 11.6 vulnerabilities in every mobile application our practice verifies - code that's just like yours. Mobile applications present both new and existing threats. Understanding the key differences in operating systems and Application Programming Interfaces (APIs) is critical in creating secure mobile applications. There are many great mobile application security courses available for your organization's consideration. With over 1,000 vulnerabilities in existence today, developers cannot possibly be expected to create defensible applications without proper training.
Force Change in Application Security
Most organizations with application security programs have plenty of best practices, programming standards and the like, but all of these are specific to web applications or client/server applications. These practices must be updated and applied to mobile technologies. Is your organization using iOS, Android, Blackberry, Windows Phone 8, etc.? There are many ways to build and enforce your mobile application security program. Here are four things you can do:
- Develop Mobile Security Standards - And Apply Them! All organizations have some form of standards and guidelines for developers to follow when creating applications. However, their details are oftentimes not focused on security, and in most cases there is no mention of mobile applications. There are differences between Android and iOS when ensuring that auto-complete is turned off or password fields are appropriately protected - just as we would worry about in a browser. We must ensure that we have solid security standards and guidelines for all of the technologies that are in use. Do your standards and guidelines make mention of security or mobile security? Check out the OWASP Mobile App Sec Project for good, free resources to help you.
- Perform Design/Architecture Reviews with Threat Modeling - In general, applications are becoming increasingly more complex, using cutting-edge technologies and more backend resources. With the addition of the mobile channel, another level of complexity is added to our infrastructure that's highly intricate to begin with. In some cases, applications add new, use or enhance current infrastructures to support the new mobile channel. Adding a mobile channel requires a thorough design and architecture review with an emphasis on threat modeling. We must understand the new threat-scape with mobile applications and the potential risks to the business. Thorough design and architecture reviews that include the threat modeling technique help uncover the potential risks before an application goes live, so that remediation activities can be performed accordingly.
- Conduct a Manual Verification - After we've performed design/architecture reviews with threat modeling, it's time to conduct some level of manual verification. The scope and level of rigor will be determined by the amount of risk posed by the application. The application's size and complexity will determine the multiple levels of verification through iterative code reviews and penetration testing. Organizations must engage mobile verification experts to work alongside internal teams. Companies should have an eye towards building a strong testing group from within.
- Complete Dynamic and Static Verification - Dynamic and static verification techniques are still in their infancy and, as such, very little is available for the dynamic verification of mobile apps. However, that does not mean that these two security activities don't fit into the secure mobile development process. Once these technologies become more main-stream and efficient, we should make sure to evaluate our mobile code during development using static approaches to make sure bad APIs are not abused and that other security controls are coded appropriately. Dynamic and static analysis for mobile will continue to improve and fit nicely into our security activities.
Some applications will require higher levels of rigor and, as such, your organization should perform all of the aforementioned activities. In other cases, the risk level may warrant only manual or dynamic verification. Either way, mobile applications will only continue in their popularity. More push will come down from the business units to create more and more apps to improve employee efficiency and client needs. That being said, it is critical that every organization developing mobile apps have a well-defined and stable mobile application security process.
Lindner is the global practice manager, mobile application security services, for Aspect Security, a consulting firm based in Maryland that focuses exclusively on application security services and training for a worldwide clientele. He also serves as an OWASP Top Ten Mobile Project contributor and Mobile Testing Guide contributor.