Mobile Browser Content Handlers: Risks and Countermeasures

I was up in the DC area last week for the Department of Homeland Security (DHS) Software Assurance Forum. While I was there I was also fortunate enough to stop by the OWASP NoVA meeting and I gave a brief fire talk titled “Mobile Browser Content Handling”

Slides are available online here:

Most mobile platforms allow developers to register applications to handle requests that would otherwise be handled by the web browser. This allows developers to provide a richer experience than a browser on its own, but also opens up avenues for attackers. Attackers can try to subvert application behavior by seeding malicious websites with specially-crafted links intended to execute a target application with malicious parameters included in the URL. Developers should understand the situations when their applications might be executed in response to malicious web content and be sure to properly validate incoming data and request appropriate confirmation from users before performing sensitive actions.

The SANS folks have a great blog post about how this works in iOS (iPhone, iPad). Check out the slide deck for more details and I will be following up shortly with a blog post with specifics of how this works in on the Android platform.

Contact us for help building and securing your mobile applications.

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

One Response to “Mobile Browser Content Handlers: Risks and Countermeasures”

  1. compositor audiovisuales

    Its liike you read my mind! You appear to know a lot about this, like you wrote the book in it or something. I think that you can do with a few pics to drive the message home a little bit, but insfead of that, thuis is fantastic blog. A fantastic read. I’ll definitely be back.

Leave a Reply

Your email address will not be published. Required fields are marked *