As we move into more social collaboration and location-aware features with our mobile apps, are there new security concerns with social apps to worry about? Are there old security traps waiting to bite into us in new ways?
The security of your application and the security and privacy of your application users should be the primary concerns when focusing on the mobile portion of location-aware and social apps.
Social networking apps connect your application users to others, and if your applications allow users to connect to third-party social networks, it is important to remember that these are just another externally connected entity in your threat model. If you are performing threat modeling, you have hopefully already identified potential serious issues. If not, then threat modeling techniques are a great starting point.
First, be wary of data coming in from social services. It is a bad enough idea to trust a monolithic service provided by a somewhat-trusted third party. However, in the case of social and collaborative apps, this third-party service is certainly being fed the data that is making its way into your application by an additional set of even less trusted third parties -- specifically the other users of the service.
In addition to carefully handling data coming into applications, developers should also be wary of data being sent out to social apps to avoid having sensitive data disclosed or used in an improper manner.
Even if the social app has no malicious intentions toward your system, developers cannot account for the intentions of application users. In cases like this, input validation is essential because you never know what you are going to receive. Inputs should be validated for size, data type and compliance with any other application-specific rules.
In addition, application developers must be careful of what decisions are made based on the data. They should answer the question, "What is the business impact of the decision that is being made?"
One useful example is how mobile browsers handle loading content from URLs with the format "tel:XXX-XXX-XXXX." The intended behavior is to allow mobile phone users to make calls by clicking on links in Web pages; however, browsers might be fed data in this format by malicious users. Mobile browsers should ask the user if it is OK to dial that phone number so that malicious systems cannot trick a user into automatically making phone calls.
In addition to carefully handling data coming into applications, developers should also be wary of data being sent out to social apps to avoid having sensitive data disclosed or used in an improper manner. Encrypting traffic using HTTPS can help prevent leakage to third parties who might be monitoring network traffic. Developers should also be careful what they share. Application developers should ask, "Have we been clear with users about how their data is being used?"
For example, if you are using third-party ad networks, are application users aware of what data is being collected and disclosed about their online behavior? Organizations can land themselves in regulatory trouble by failing to pay attention to these concerns.
Mishandling user privacy issues can have a negative impact on an organization's brand as the general population becomes more sensitive to privacy issues. Pay attention to metadata like GPS coordinates in images and other content uploaded to social platforms. Above all, your application should provide users with a secure, private and pleasant experience.
This was first published in June 2014