What are the security risks to lookout for as we move to mobile apps from Web applications?
Mobile apps are interesting because, in many businesses, they're seen as a cutesy marketing tool that needs to be thrown together on a whim. After all, in the minds of many, if you don't have an "app in the app store" then your business is not legitimate. This whimsical reputation sometimes keeps companies from putting a serious focus on mobile app security.
Web application security is a relatively new frontier but mobile app security is entirely new.
Web application security is a relatively new frontier but mobile app security is entirely new. That said when it comes to mobile apps running on common platforms such as iOS and Android, many of the same security problems exist in mobile apps that we've seen in Web applications such as:
- Lack of input validation
- Poor session management
- Feeble or non-existent encryption protecting data in transit and data at rest
- Authentication and password weaknesses
In that regard mobile app security is very similar to Web application security.
However, mobile apps are a different beast when it comes to testing. You can't use traditional Web vulnerability scanners – at least in the familiar point-and-click kind of way. There's more manual testing involved using the mobile devices themselves along with some potentially unfamiliar forensics and network analysis tools. Another proven method for testing mobile apps is to perform a source code analysis using tools by vendors such as Checkmarx or Veracode.
One final thought is about the mobile-enabled versions of your websites/applications. The flaws are basically the same, but in terms of what needs to be tested, you don't want to overlook your mobile-enabled sites/applications.
More on mobile security threats
You may also want to check out this illustrated explanation of OWASP's top ten list of security vulnerabilities for the mobile enterprise.
Test them from both traditional PCs as well as mobile devices. You might be surprised at the varying results you get back.
All in all, mobile app security is a great new space to be working in. I'm truly enjoying it. Just stay true to the basics we've known all along: finding and fixing the basic flaws can provide a ton of value. The OWASP Mobile Security Project seems to be a good resource that's shaping up in this area.
Related Q&A from Kevin Beaver
Hackers are infiltrating the enterprise through multifunction printers. Expert Kevin Beaver explains how to mitigate the threat and improve printer ...continue reading
Many organizations deploy security information and event management systems without the proper planning and therefore can't reap the proper rewards. ...continue reading
For those of us new to software security testing, it can be an intimidating field of study. Where do the veterans suggest we begin?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.