Are critical mobiles apps used by your team putting your business at risk? Will your public mobile apps cause privacy concerns from customers? Does your mobile app expose vulnerable APIs to malicious 3rd parties?
The rise of mobile
Chances are your company is joining the growing number of enterprises who supply their customers and staff with mobile apps. Do you know what those apps are doing with your data? Is the data safe if the phone is lost or stolen? Is the server side of the application secure against attack and data loss? As mobile platforms get increasingly powerful and we access more of our data though them, attackers are increasingly looking at mobile apps as the new victims of choice.
Many mobile apps being built use insecure data storage and poor authentication practices. Maven Security can help give you visibility into where your data is stored and how it is accessed. We can then help you make decisions in balancing ease of use and functionality with the security and privacy necessary for your business.
With mobile apps, there is the possibility for security problems on both the client and server side. We can help you by applying our years of experience in similar architectures. Because every mobile platform and app is slightly different the best option is to contact us and we will work up a quote targeted to your individual app.
However, here is a list of common mistakes that may be applicable to your application:
Data in motion
This class of problems can be exploited by anyone who can see your network traffic. The most commonly exploited scenario is mobile use at public WiFi hotspots.
Does your app use SSL or other transport encryption in a safe way? If you use insecure function calls or options, MITM attacks on otherwise good protocols like SSL are possible.
Are user credentials transmitted securely, including the credentials of 3rd party sites like Twitter and Facebook if your app integrates with them?
Is the user data also available over a non-encrypted channel?
Data at rest – Mobile
These types of flaws occur most often when a phone is lost or stolen. Other places these can occur is if an attacker gets access to the backup image on a computer the phone syncs to, or the mobile device is compromised using one of the many known flaws.
Are credentials stored on the device? If so, are they done so securely?
Is your data cached on the device? If so, is it stored in a secure manner?
Maybe your app is “just a webapp”. Is it using the advanced HTML5 features in a secure manner?
What happens to your data when your device is suspended or the app crashes?
Is sensitive data being made available over the clipboard or through screenshots? For example, iOS takes a screenshot of the app when it closes, any info on the screen is stored unencrypted.
Data at rest – Server
The security of the server that feeds data to the mobile app is important, as by definition it must be online and available for use at all times, and the attackers have years of experience with client/server programs. You need someone with similar experience on your side. Flaws vary greatly based on the technology used, but may include:
Improper authentication – Does your login system function adequately to allow access to only the proper individuals?
Improper authorization – Often the permissions of an authenticated user are not properly checked, and the user can get access to data or functions they should not be able to.
SQL injection vulnerabilities – Attackers can use these to download, add, or delete any data on the server.
Privacy & PII
The secure handling of Personally Identifiable Information (PII) is a top concern these days for both companies due to compliance issues, and for consumers who are more aware of the threats. We can analyze how the mobile app is storing and transmitting PII.
Does the mobile application offer the user a clear privacy policy statement? Is it in the same language as the mobile application? Does the application use excessive rights and privileges on the device, beyond the needed functionality? These are some of the privacy issues analyzed. The final rubric used depends on the nature of the data and the jurisdiction involved.
Software security flaws
Many organizations no longer produce native code applications, so many types of flaws have fallen off the radar. With the growth in mobile platforms, many of which run native code, these flaws need to be back on the radar. We can help you locate and fix security flaws that attackers can use to attack the phone security and your data. Flaws include:
Buffer Overflows, Use-after-free vulnerabilities, Race conditions, and other similar flaws.
Note: Detection of these flaws will be much more thorough and accurate when source code is provided. This component is not included unless requested as extra effort will be necessary based on the size and complexity of the application.
Conclusion
As even this brief overview shows there are many potential problems with mobile applications. This is to be expected as security and convenience are always somewhat of a trade-off. Maven Security Consulting Inc. would like to be your trusted advisor who can help you ensure that your applications remain convenient for your users without putting your users, data, and infrastructure at undue risk.