Dan Cornell, Denim Group CTO, provides insights and advice to mobile application developers on the Denim Group blog – http://tinyurl.com/245lo48 – in regards to Wednesday’s incident when hackers obtained the e-mail addresses of 114,000 owners of 3G Apple iPads, including those of military personnel, business executives and public figures. The data breach was the result of hackers exploiting a security hole in an AT&T web application.
Denim Group is an IT consultancy that develops secure software and helps organizations assess and mitigate risks with their existing software and regularly assesses the security of mobile applications for its clients.
“Although this specific situation deals with AT&T infrastructure deployed to support Apple iPad devices, the lessons apply to everyone developing smartphone applications and the server infrastructure to support them – regardless of whether the target platform is the Apple iPhone or iPad, Google Android, RIM Blackberry or Microsoft Windows Mobile,” stated Cornell. “Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services.”
Cornell’s post focused on four key points:
- Authentication and Authorization Are Crucial for Services Deployed to Support Smartphone Applications
- Do Not Authenticate Requests with Values that Look Random But Aren’t
- Never Trust Anything in an Attacker-Controlled Request
- Don’t Trust Your Service Providers; Test Them
His blog post has more background detailing why these points are relevant to any organization building applications on mobile devices.
Cornell is available for interviews. Please contact Alan Weinkrantz – 210-410-3075 to schedule.
About Denim Group
Denim Group develops secure software, helps organizations assess and mitigate risk with existing software, and provides training on best practices in software security. Denim Group has worked with a range of Fortune 500 companies and public sector organizations, bringing a focused software development approach to the world of software security. Denim Group is a strong contributor to the larger application security community, and has been involved with the Open Web Application Security Project (OWASP) since shortly after its inception. Additionally, Denim Group was ranked 1,751 in Inc. Magazine’s 5000 Fastest-Growing Private Companies in America in 2009. For more information about Denim Group, visit www.denimgroup.com.