By Trevor Boldon
Over recent years mobile applications have become increasingly popular, and modern smartphones can now offer such an array of apps that it is often hard to imagine life without them. I myself am guilty of regularly using takeaway ordering apps a little too much, but the ease and convenience of having such an app on my phone makes it hard to resist. But whilst these apps make our everyday lives more convenient, are they also providing hackers with a new and easier way in which to steal our data?
It could be argued that when mobile applications first materialized, they were seen as nothing more than an amusing gimmick, allowing friends to impress one another with what their new smartphone could do. At first, businesses found it hard to envision the potential business benefit from utilizing mobile apps, which is understandable, as employees being able to play Angry Birds doesn’t really help an organization achieve its objectives.
However, as time went by businesses realized the potential to save their employees time, increase internal connectivity, connect directly with consumers and save a lot of money by embracing mobile applications. At IRM we now see a trend of employees adopting applications to carry out important Business As Usual tasks, which in turn carry greater security implications than your average game of Angry Birds. Applications now offer us the means of carrying out banking transactions, buying goods, storing and sending sensitive information and much more. Businesses are increasingly looking toward mobile applications as viable solutions for their operational needs. And why shouldn’t they? Mobile applications are often minimal in cost (sometimes even free), easy to use and can be easily accessed when out of the office.
However, there is often a complete lack of understanding of the security threat posed by mobile applications, leaving businesses unable to fully appreciate the risk they are accepting by adopting them. For example, ‘secure’ storage applications are commonly used as a way to store passwords, intellectual property, banking details and other sensitive information. While these applications claim to be secure, the reality can be very different. A hacker with malicious intent and who knows what they are doing can simply connect the smartphone to their PC and attempt a number of ways to extract the information. If an employee uses such an app, and their phone is stolen, it could lead to company information being stolen.
It has often been said that there is more technology in a modern smart phone than the rocket that sent man to the moon. But perhaps to fit into more of a security context it is more appropriate to highlight that smartphones are more powerful than a standard desktop computer in the early 2000’s. We all know that hackers targeted desktops, and now the spotlight can be turned onto mobile applications as a new vector of attack for hackers wishing to get their hands on your data.
Recently articles and presentations by security experts across the globe have highlighted just how inadequate mobile application security current is. Commonly identified issues range from sensitive data being stored and transmitted without protection, inadequate server side protections, inefficient user protection and many more.
At times, attempts at securing mobile applications can be observed, but these are often poorly implemented. Such an example would be an application encrypting sensitive data in an attempt to protect it, but then leaving the decryption key within the application code. This is similar to using a safe to contain important items, but then writing the lock combination on the side. At best it creates a false sense of security, and at worst your data will be stolen.
There are a number of factors as to why the current security landscape of mobile apps is so poor. Developers may be more focused on creating an application that is exciting and visually appealing, they may be under time pressure to get an application released ahead of the competition, or it may simply just be that they don’t know how to make their applications secure. Not so long ago if you were to walk into a bookstore and search for a book on developing mobile applications, you would be hard pressed to find one that had any real focus on security, at best it may have a page or two covering the subject.
However, within the last twelve months an increasing amount of news articles have begun to highlight the real threat of mobile application security. Groups of security experts, such as those at the OWASP Mobile Security Project, are beginning to supply the information needed to assist both developers and security experts in developing secure mobile applications. OWASP have already created a number of popular testing frameworks relating to various areas of Information Security. The Mobile Security Project, although in its infancy, already provides a working methodology, which highlights current key threats facing mobile apps, key areas of testing that should be performed on all mobile apps to ensure security, and also provides information for developers wishing to make their apps more secure.
There is a need for businesses to consciously acknowledge the threat posed by mobile applications if they want to exploit the potential business benefit they afforded by new technology, and take proactive steps to ensure they are not left vulnerable. Ensuring that mobile applications are properly assessed can help in providing a more secure solution, and mitigate potential threats.
Trevor Bolden is a Technical Security Consultant for IRM and specializes in mobile application security.