I provided some background information to Brian Prince about challenges for application developers building smartphone applications for his eWeek article “Mobile Application Developers Face Security Challenges”
The article highlights a number of critical problems for organizations developing smartphone applications. Specifically:
· Smartphone applications run in an environment controlled by attackers. (Hopefully) attackers do not have complete control of your web servers, but they do have control over their smartphone devices. Smartphones run in an environment similar to AJAX applications and other Rich Internet Applications (RIAs) in that data and code have moved from the server-side to the attacker-controlled client-side.
· Most developers do not know how to build secure applications for smartphone environments. To be honest most developers do not know much about building secure applications in any environment, but this problem is compounded for emerging environments like iPhone, Android, Blackberry, etc. The lack of knowledge leads to mistakes. Some of them can be easy to fix, but application design and architecture issues can be really challenging and expensive to address.
The steps organizations can take to help avoid problems when building mobile applications are an evolution of what has been “good advice” for quite some time:
· Teach developers about secure application development. Make sure all of your developers know something about security and some of your developers know a lot about security – especially about the specific security capabilities and characteristics of the mobile application platform(s) and environment(s) you are using.
· Threat model your applications early the in the development process. This makes sure everyone involved in the project understands the structure of the system as well as the trust boundaries between “trusted” processes and data and processes and data that need to be validated. This is especially important for mobile applications because the interesting ones (banking, healthcare, etc) typically involve a combination of software running on the mobile device as well as 3rd party services and enterprise services. Knowing where sensitive data resides and where it moves is critical and threat modeling can make sure developers are aware of potential problems.
· Test your software for security. This can include a combination of security code reviews as well as live application assessments. Mobile application security is still somewhat specialized so the skills requried to do this are still comparatively rare in the market. Automated tools can perform security source code reviews but right now most of the tools would need to be tweaked and customized because they are often optimized for testing web applications. Dynamic assessment tools for mobile applications are still pretty early in the R&D phase so most of this testing will have to be done manually.
· Have a plan for responding to security incidents. Have a clear way for researchers to contact you and be ready to be responsive. Mobile application security is a “hot” area for researchers and a great way for them to make a name for themselves so you should expect attention from that community. Be able to respond in a timely and appreciative manner and hopefully it will keep you off the front page or at least give you some time to address the issue and prepare for any fallout.
Smartphone applications offer organizations a huge potential to create value for their employees, customers and partners. Unfortunately to do this they must typically interact with and transport sensitive data. Some pior planning can help reduce the risks associated with deploying these applications.
Contact us for help building and securing your smartphone applications.
dan _at_ denimgroup.com