While some mobile security experts might argue that server-side security falls outside of the realm of mobile application security threats, OWASP rates weak server-side controls as the second most important mobile security threat. In some ways, server-side security threats are more familiar than many other mobile security threats. As Jack Mannino explained, most mobile enterprise applications that are really useful rely on some sort of back-end services.
The fact that they rely on a connection with the server makes enterprise mobile applications similar in nature to traditional client/server applications. However, mobile developers don't always take traditional server-side security considerations into account. In addition, while the threats remain fairly similar, the abilities of attackers who manage to get control of a mobile device are much different and may be much worse, according to Mannino.
Tony DeLaGrange explained that all too often mobile application developers put too much trust in the client when it comes to server requests. "The basic rule of thumb is never trust the client," DeLaGrange said.
Although client-side controls can be implemented to reduce risks, the best defense comes from providing server-side controls to mobile services. When it comes to testing security in mobile applications, DeLaGrange said the QA team "should include an assessment of the mobile service in their testing, and [mobile apps] should be assessed in the same manner as a Web application."
Alternate views on server-side security and mobile apps
Not everyone agrees that server-side security is a concern for mobile application developers. According to Tyler Shields, senior security researcher at Veracode, the Veracode mobile threat model leaves server-side security to the application developers that specialize in writing code for the servers. Veracode's list of vulnerability often coincides with OWASP's list, but is split into two sections. Malicious code threats involve building mobile applications using existing components that contain some form of malicious code. The other half are coding vulnerabilities that leave security holes in the mobile application, which might be exploited.