Veracode said it will begin offering its cloud-based application risk management verification service to companies and developers of apps for Google Android devices this quarter. It also expects to offer this same service to enterprises developing mobile apps for Apple’s iOS in the second quarter of this year.
The company added that it will implement the beta program – which accepts all mobile apps regardless of platform – for security verification to help mitigate against what many analyses have deemed to be the rapid emergence of mobile device security threats.
Infosecurity notes that the emergence of independent testing services for mobile apps has become necessary because application markets – such as those provided by Apple and Google – provide, at best, a superficial security review.
Veracode also released its “Mobile App Top 10 List”, a guide for enterprises that it hopes will become an “industry standard for categorizing malicious functionalities and serve as a checklist of vulnerabilities that developers and security teams can collectively utilize to determine what mobile app risks exist and how they can be effectively and efficiently mitigated”.
“More and more enterprises are realizing that 2011 is quickly becoming the tipping point for mobile security issues,” said Nigel Stanley, an analyst with Bloor Research. “For both active and passive attacks ranging from GSM air interface attacks through to the use of trojan malware to target users, with Veracode I share my intense interest in best practices for mitigating these risks and what steps users, businesses, developers and organizations need to take to secure their smartphones and apps.”
The Mobile App Top 10 list, which mirrors similar web application security efforts from OWASP, is broken down into two categories of risk – malicious functionality and vulnerabilities. The list includes: activity monitoring and data retrieval; unauthorized dialing, SMS, and payments; unauthorized network connectivity; UI [unique identifier] impersonation; system modification; logic or time bomb; sensitive data leakage; unsafe sensitive data storage; unsafe sensitive data transmission; and hardcoded password/keys.
“While much has been done in terms of setting standards for the security of web applications, we felt it was necessary to extend the same rigorous framework to mobile,” added Chris Wysopal, Veracode’s CTO.
“In the mobile app market, we see both inadvertent coding errors and intentional, malicious code as security culprits. We strongly recommend industry-wide adoption of the Mobile App Top 10 for the development of apps, as part of an app store vetting process, for acceptance testing of an app, or for use by providers of security software running on mobile devices.”