Speaking to an overflowing Business Theatre at the event, the Veracode founder and CTO acknowledged that security risks exist at each and every layer of mobile devices, whether it is networking capabilities, hardware, operating system, or applications.
But Wysopal contends that applications alone deserve their own list, “to educate developers and security professionals about mobile application behavior that puts users at risk”. He also felt a unique list for mobile applications was necessary because mobile devices are highly portable, and therefore easily lost.
Wysopal broke down the top ten list into two parts: applications with purposeful malicious intent, and inadvertent vulnerabilities inherent in certain applications. The list includes:
- Activity monitoring and data retrieval
- Unauthorized dialing, SMS, and payments
- Unauthorized network connectivity (data exfiltration or command & control)
- UI (unique identifier) impersonation
- System modification (rootkit, APN proxy configuration)
- Logic or time bomb
- Sensitive data leakage (inadvertent or side channel)
- Unsafe sensitive data storage
- Unsafe sensitive data transmission
- Hardcoded password/keys
When comparing the various application markets available, Wysopal noted that not all are created equal – at least, not from a security perspective. While the most popular application markets all had a mechanism for revoking malicious applications once they were discovered, only the market for Windows mobiles conducted a pre-flight security check of submitted applications. Android, on the other hand, has only a cursory approval process, as previously highlighted by Infosecurity.
“Apple is famous for their walled garden and has an approval process”, Wyspoal noted. “But it’s not clear that they are looking at security issues. They seem to care about user experience and policies.”
He added that Apple has published its polices, which prohibit applications from containing malware, but they have not yet acknowledged whether or not they scan for malicious code. Conversely, Wysopal continued, the app market for the Windows phone has the “strongest” security process, whereby it runs a static analysis for malware as part of its approval method.
Wysopal provided dozens of real-world examples of how applications have absconded with user data using various methods on the Top Ten. The primary difference between PC/desktop app vulnerabilities and those on smart devices, he outlined, is that of location-based data accessible through many mobile apps, which provides a twist on the traditional threat model.
“The risks on a mobile device are very different”, Wyspoal said. “It’s highly, highly portable as you carry it on you all the time, so from a privacy standpoint, things like your [immediate] location are more sensitive than the location of your desktop at work, for instance.”
The Veracode CTO then called upon mobile app stores to consider using the list in a security review of all submitted apps. He cited the OWASP top 10 list for application vulnerabilities, used by the PCI Council as part of its application auditing process.
“App stores could vet for the Mobile Top 10, or any similar list that’s published and independent”, Wysopal said. “Right now they are very opaque about what they are testing for.”