What are the security risks to lookout for as we move to mobile apps from Web applications?
Mobile apps are interesting because, in many businesses, they're seen as a cutesy marketing tool that needs to be thrown together on a whim. After all, in the minds of many, if you don't have an "app in the app store" then your business is not legitimate. This whimsical reputation sometimes keeps companies from putting a serious focus on mobile app security.
Web application security is a relatively new frontier but mobile app security is entirely new.
Web application security is a relatively new frontier but mobile app security is entirely new. That said when it comes to mobile apps running on common platforms such as iOS and Android, many of the same security problems exist in mobile apps that we've seen in Web applications such as:
- Lack of input validation
- Poor session management
- Feeble or non-existent encryption protecting data in transit and data at rest
- Authentication and password weaknesses
In that regard mobile app security is very similar to Web application security.
However, mobile apps are a different beast when it comes to testing. You can't use traditional Web vulnerability scanners – at least in the familiar point-and-click kind of way. There's more manual testing involved using the mobile devices themselves along with some potentially unfamiliar forensics and network analysis tools. Another proven method for testing mobile apps is to perform a source code analysis using tools by vendors such as Checkmarx or Veracode.
One final thought is about the mobile-enabled versions of your websites/applications. The flaws are basically the same, but in terms of what needs to be tested, you don't want to overlook your mobile-enabled sites/applications.
More on mobile security threats
You may also want to check out this illustrated explanation of OWASP's top ten list of security vulnerabilities for the mobile enterprise.
Test them from both traditional PCs as well as mobile devices. You might be surprised at the varying results you get back.
All in all, mobile app security is a great new space to be working in. I'm truly enjoying it. Just stay true to the basics we've known all along: finding and fixing the basic flaws can provide a ton of value. The OWASP Mobile Security Project seems to be a good resource that's shaping up in this area.
This was first published in September 2013