Tuesday, April 2, 2013

Vulnerability Testing: A Security Health Check-Up for Mobile Apps | Innovation Insights | Wired.com

Image: William Hook/Flickr

It’s no secret that mobile apps are well on their way to capturing the lion’s share of consumer’s attention. In Nielsen’s US digital consumer report, it was highlighted that 64 percent of mobile phone time was spent on mobile apps. Organizations of all sizes are compelled by either consumer demand or competitive pressures to aggressively build their own consumer facing mobile apps.  

But this is just the tip of the iceberg. Organizations are quickly recognizing that they can extract operational efficiencies if employees and partners are empowered to access contextually relevant information via mobile devices. Gartner predicts that mobile app projects will outnumber development projects for PCs by a 4-to-1 margin by 2015.

The next question is how will this rapidly growing demand for mobile apps be met?  Many organizations will undoubtedly turn to outsourcing providers to build their mobile apps.  Multiple outsourcing agencies may be employed by a single organization based on the type of mobile apps being required. Additionally, there will invariably be several organizations or departments that will look to build out mobile app development practices in-house.

The costs of acquiring skilled developers and designers are bound to rise and can only be mitigated by supplementing the pool with less experienced or less trained developers and designers. Both outsourcers and organizations building out their in-house mobile development teams will face this challenge.

An organization cannot overlook the risk associated with its various mobile app development initiatives.  Vulnerabilities in a mobile app if exploited by a malicious entity can negatively impact the trust consumers, employees and partners place in the organization.  

Every organization will need to institute an operational and structural security quality baseline – a health check for mobile apps. Incorporating this health check for mobile apps into the development culture will ensure controls to quantify and mitigate risk of mobile apps being released to production.

Vulnerability testing of mobile apps offers a tangible solution to establishing a security quality control. Vulnerability testing solutions developed based on years of security research of Web technologies and more recently native mobile APIs (i.e. Android & iOS) can reveal many of the security shortcomings of mobile apps.

We can use the Open Web Application Security Project (OWASP) Top Ten Mobile Security Risks as a guide to highlight how vulnerability analysis can serve as a powerful tool to shrink the risk exposure of mobile apps.

OWASP’s Top Ten Mobile Security Risks:

  1. Insecure Data Storage: A full-trace vulnerability analysis solution will be able to trace all the routes of data out of an app and flag code elements that can lead to compromised data (e.g. saving unencrypted data, use of cloud storage)
  2. Weak Server Side Controls: A comprehensive vulnerability analysis solution not only scans the client side mobile app but also the back-end APIs calls
  3. Insufficient Transport Layer Protection: Vulnerability analysis can easily reveal if appropriate Secure Socket Layer (SSL) or Transport Level Security (TLS) capabilities are being employed for data in transit
  4. Client-Side Injection: A full-trace vulnerability analysis solution will be able to trace all the routes of data into an application and validate if input validation is being performed to counter core injection attacks (i.e. SQL injection)
  5. Poor Authentication and Authorization: Full-trace vulnerability analysis can highlight areas were user is challenged and trace where ID’s and passwords enter and exit the application
  6. Improper Session Handling: Vulnerability analysis can trace the use of the Universally unique identifier (UUID) and verify it is not being used for session management
  7. Security Decisions via Untrusted Inputs: Following data flows within the app from source to sink through vulnerability analysis provides awareness of specific data handlers will flag areas were inputs need to be validated
  8. Side Channel Data Leakage: Once again full trace vulnerability analysis tool with deep understanding of underlying API research will allow the developer to uncover data leaking to various data sinks such as clipboard, and log files etc.
  9. Broken Cryptography: Improper cryptographic usage can be highlighted by vulnerability analysis
  10. Sensitive Information Disclosure: Similar to side channel data leakage, full trace vulnerability analysis can detect with specific data elements are leaving the app (e.g. to the network, via notifications, to peripherals etc.)

Mobile app development projects place a premium on time to market and often this places even greater pressure on security quality testing. Employing a vulnerability analysis solution that can automate the security quality testing would be ideal. However, another common issue is if the vulnerability assessments include too many false positives then developers and security analysts alike may overlook the true risks due to time pressures. 

It is imperative that quality and rigor of the vulnerability analysis tool be considered. Full-trace analysis and deep underlying API research would not yield more effective vulnerability assessments but it will help train developers of security best practices so over time developer productivity will be enhanced leading to even faster time to market with healthy apps.

Vijay Dheap leads Mobile Security Solutions for IBM.

No comments:

Post a Comment