I was up in the DC area last week for the Department of Homeland Security (DHS) Software Assurance Forum. While I was there I was also fortunate enough to stop by the OWASP NoVA meeting and I gave a brief fire talk titled “Mobile Browser Content Handling”
Slides are available online here:
Most mobile platforms allow developers to register applications to handle requests that would otherwise be handled by the web browser. This allows developers to provide a richer experience than a browser on its own, but also opens up avenues for attackers. Attackers can try to subvert application behavior by seeding malicious websites with specially-crafted links intended to execute a target application with malicious parameters included in the URL. Developers should understand the situations when their applications might be executed in response to malicious web content and be sure to properly validate incoming data and request appropriate confirmation from users before performing sensitive actions.
The SANS folks have a great blog post about how this works in iOS (iPhone, iPad). Check out the slide deck for more details and I will be following up shortly with a blog post with specifics of how this works in on the Android platform.
Contact us for help building and securing your mobile applications.
–Dan
dan _at_ denimgroup.com
Its liike you read my mind! You appear to know a lot about this, like you wrote the book in it or something. I think that you can do with a few pics to drive the message home a little bit, but insfead of that, thuis is fantastic blog. A fantastic read. I’ll definitely be back.