When was the last time you left your house holding your social security card, all of your credit cards, health records, passwords, and a record of all the highly intimate messages that you’ve sent to your friends and loved ones?
Who would leave their house with all of this sensitive stuff? It would fill boxes and binders and no one would be foolish enough to carry it all with them at the same time, right?
All of this sensitive personal data, and more, is stored on your smartphones and, despite our belief that our mobile devices are much more secure than our flimsy leather wallets, study after study shows that our sensitive data is much more vulnerable than we think.
For most of us, our anxieties about mobile application security are relaxed by our trust that the powerful mobile operating systems will keep hackers and attackers far away from our personal data. After all, Apple built iOS with security in mind and Google is synonymous with security, isn’t it?
Yes… and no. While our mobile devices are shipped with built in security precautions designed to make the apps secure, such as sandboxing, the shields protecting our personal data from being exploited are only as strong as the weakest links in the applications that we use. These weak links are vulnerabilities that are becoming increasingly similar to the threats faced by web applications as more and more mobile applications are communicating with external servers that your mobile operating system has no control over. With the amount of personal data that we store on our mobile devices, it’s important to be informed of the vulnerabilities and risks related to not practicing secure mobile app development.
Where do these vulnerabilities come from?
It would seem obvious that most potential exploits in mobile apps are coming from self-taught developers, cheap studios and amateurs without a solid foundation in secure mobile app development. Each month in the United States, over 30,000 searches are made for “mobile app developer,” and the demand for application developers grows year after year. As this need for quick, and cheap apps, grows so does the amount of applications that are shipped with vulnerabilities, but this doesn’t paint the whole picture.
While amateur developers may account for a portion of the mobile applications with vulnerabilities lurking in the Google Play Store and App Store, the more serious issues often come from brands that we trust.
As existing companies and platforms rollout mobile applications, they are often developed using existing infrastructures developed for web applications that are then customized for mobile applications. Using vulnerabilities in the large company’s mobile application, hackers are able to exploit the organization and the end user.
Additionally, the sheer number of applications available on the Google Play and App Store, many of which communicate with outside servers, creates a virtual playground for cyber criminals. “The combination of easy access for all and a vast amount of available applications creates a massive potential attack surface for hackers to exploit,” noted Erez Metula, the Chairman and Application Security Expert at AppSec Labs notes, in a recent Checkmarx webinar on the State of Mobile Application Security.
Our mobile devices are a treasure chest of sensitive information and it’s crucial for both end-users and developers to be aware of the risks that may be hiding behind the branded applications that we put an incredible amount of trust, and data, into.
The “7 Deadly Sins” of Secure Mobile App Development
Authentication and Authorization vulnerabilities allow the malicious users to execute such tasks as impersonating other users, performing operations as other users and access other areas and operations of the app that they wouldn’t normally be allowed to access (such as bypassing security pin codes). Developers should make prioritizing the Authentication and Authorization mechanisms a priority during development. Online banks are often the victims of Authentication/Authorization attacks.
2 Availability Vulnerability
Availability issues result in the client, or server side, of the application being denied service from either the entire application or a part of it. Crashes are a common side effect of availability issues. Developers that understand the potential vectors which allow malicious entities to cause availability issues will understand what steps need to be taken in order to prevent such attacks which include system crashes resulting from request overflows. The recent Android Stagefright exploit was a result of a mixture of both the Availability Vulnerability and Configuration Management issues.
3 Configuration Management
Configuration Management issues relate to the misconfiguration of server or client thus enabling a malicious app to steal data from another app on same device. Examples of configuration management issues include when organizations maintain default passwords while not forcing new users to change their passwords changes upon their first login. Another example is when certain default settings are mismanaged such when companies have default settings switched to automatically refill funds when the user’s balance drops down to zero, thus auto-recharging the account.
4 Cryptography Weaknesses
Crpytography Weaknesses involve sensitive information disclosure that is related to the app sending sensitive data over the wire as clear text or encryptography with obsolete or bad encryption which leads to a false sense of security for both the developer and the end-user. Since information that is encrypted is usually highly sensitive, the negative impact from cryptography weaknesses can be devastating.
5 Information Disclosure
Information Disclosure issues involve information that can be exposed directly, or indirectly, by the attacker. Examples include when information is transferred to another app or even stored on device so another application can expose it.
6 Input Validation Handling
Input Validation Handling issues are related to a mobile app that might not be able to handle information from external sources in a secure manner. These exploits are similar to what happens to server side attacks such as SQLi, XSS, CSRF.
7 Personal/Sensitive Information Leakage
Sensitive Information Leakages occur when an app exposes personal information (credit cards numbers, secret documents etc.) belonging to the end user. This vulnerability occurs when applications are using third party statistic servers when they send a user’s personal info without their knowledge.
For developers, the first steps in ensuring that you are writing vulnerability-free code is secure mobile app development education and awareness. The best place to begin is with the State of Mobile Application Security Study, where AppSec Labs tested hundreds of mobile applications for vulnerabilities – the results may surprise you. These tests included of all types of apps including banking, utilities, retail, gaming and even security oriented applications.