2011 saw the development of mobile applications rise like we have never seen before. We all knew this would happen, I suppose just not this quickly. In fact a recent story in the New York Times suggests that there are approximately 15,000 mobile apps being released every week.
The increase in the volume of mobile app development has everything to do with the fact that mobile devices have become an essential tool for business productivity and consumer entertainment. For comparison’s sake, the same NY Times article reports that an average of 100 movies and 250 books are released every week.
With over 1 million mobile apps available across the Apple, Android, Blackberry and Windows marketplaces, one of the most critical areas to pay attention to is security. Fundamentally, all software, not just mobile applications, should follow some type of process, like the SDLC, to ensure that security is built into all phases of the development lifecycle.
So what are the security implications? For one, there are a large number of developers who likely aren’t security-savvy when developing mobile applications. It’s no surprise that making the app cool and getting it out there will trump security in many cases.
Additionally, as apps are becoming more important to smart device users, the timeframe is condensed from development to delivery, creating conditions ripe for skipping key checkpoints along the development process, including tracking and fixing bugs and remediating potentially vulnerable code.
That said, Apple does have a strict set of guidelines that they’ll review apps against before approving them for the App Store. While they are unable to test for everything, they are checking closely and have a process in place. Apple's stance is to keep the ecosystem more closed and controlled in order to drive quality and the user experience up. In essence, their process involves some elements of security.
The Android market however, is far less regulated, but Google will react and pull apps if there are complaints or known to have vulnerabilities which might impact users. Android phones also make it easy to install non-market apps (simple setting in the OS), which requires a jailbreak in an apple device.
Insecure applications also have implications that can impact hardware, so it becomes an issue not just for users, but for the device manufacturers as well. One example of that is a study that was conducted recently at the University of North Carolina, where researchers tested a number of Android devices and found a variety of security holes.
The results of the study revealed that pre-installed apps were the culprit of many vulnerabilities including the capability to pass on their privileges, accessing local data, GPS networks or mobile networks, to other applications. Ultimately, these insecure or invalidated pre-installed apps enable attackers to access or delete data, send SMS text messages, tap communication or determine a user's location.
There are a number of risks involved that are specific to mobile applications that developers and security teams should be aware of in the development lifecycle. Knowing what these are and how to code defensively against them is important, regardless of which methodology you are using to develop mobile apps.
One specific risk worth mentioning, that draws an interesting contrast between web apps on a non-mobile platform and apps on a mobile platform is Phishing. Sure it’s been around forever, and there are plenty more I will discuss in future posts. These attacks are successful on non-mobile devices and typically executed through email in an attempt to lure the recipient into revealing personal information.
However, what we’ve seen with mobile applications is “SMiShing,” which is phishing conducted via SMS (text) in much the same way as email-based phishing attacks.
To control risk against these attacks, it’s important to inspect links: Most (if not all) mobile device browsers don’t allow users to “hover” over a link to compare the link being displayed versus the actual link. Also, SSL certificate inspection is critical for securing the app environment, yet difficult to perform and, in some cases, not possible at all.
To sum it up, the risk posed by mobile applications continues to increase dramatically as more mobile apps are brought to market. The insatiable appetite for mobile apps will further drive the need for targeted development practice which include security as an integral part of the development lifecycle.
