Mobile application security for Android and iOS is a field which doesn’t always receive the attention it deserves. Software development teams have been scaling up their mobile application development over the last decade as smartphones have become more affordable and mobile bandwidth (and Wi-Fi) access has improved. It has been estimated that nearly 1 billion people will access the Internet for the first time in the next decade thanks to these devices. In addition, the smartphone has already established itself as the dominant platform for web access in developed nations.
Mobile Application Security (Android/iOS) – An Overview
There is a level of trust that the ordinary user places in new technology. They assume that it is difficult to be hacked and that viruses, malware, etc. are not prevalent. The truth is that mobile application security for Android and iOS should be a high priority. There’s already strong evidence that these platforms face the same threats as other platforms. People still want to steal data (either for financial gain or for other more esoteric purposes such as embarrassing someone or just to prove that they can).
The Trustwave 2012 Global Security Report showed that applications which deal with retail, and food and beverage industries are most likely to be under attack. The most common form of attack which could be prevented with the right level of mobile applications security (Android or iOS) is Banking Trojans designed to harvest customers’ credit card and debit card details.
Mobile Application Security (Android/iOS) – Attack Points
There are various points of attack used by malware writers for smartphone applications. These include data storage areas (key stores, file systems, databases, config files, etc.), binary attacks (such as reverse engineering, exploitation of vulnerabilities, embedding false credentials, etc.), and the platform itself (function hooking, installing malware, developing botnets on smartphones, targeting specific architecture requirements of a platform).
Mobile Application Security (Android/iOS) – Advice for Developers
Software development teams that work in these environments need to focus on security as they would in any other application environment. It’s vital that they fully understand their mobile platform and fully understand how the O/S operates when they’re asking it to perform a function. This allows them to understand the possible threats to mobile application security (Android or iOS) and take action to prevent/minimize these. They should know how the code libraries for their application link to the OS itself and examine threats that emerge as part of the linking process.
They should also be confident that they know what is being included in the final compiled version of the application and how an attacker might be able to read that compiled code. Mobile application security (Android or iOS) can be enhanced by fully understanding where every piece of data is stored (cache, database, configuration information, etc.) and then examining how that data can be better secured against attack.
How can Checkmarx help with this? CxDeveloper is able to work through iOS and Android app code and identify flaws that are often missed in traditional testing environments. The product enables you to track down areas that may be vulnerable to code injection, session fixation, password inadequacy, etc. The process is fully automated, leaving your developers free to concentrate on fixing problems rather than finding them.