What are the most common pitfalls when it comes to securing mobile applications? What best practices should companies follow in order to avoid them?
We recently released statistics from a subset of our mobile application assessments at RSA Conference 2014. Based on the data we found, the biggest problems we see are handling data at rest, handling data in transit and designing in bad trust decisions.
One of the biggest problems is that applications store sensitive data on mobile devices and that data is then up for compromise if the device should fall into malicious hands. This can happen when a device is lost or stolen as well as devices that are purchased second-hand that unfortunately have not been wiped of content. The underlying point is that app developers do not know and have no control over what users are going to do with their devices, creating the need for developers to plan ahead to protect their users. Unfortunately, few development teams do this.
Handling data in transit is another area where app developers run into problems. Just as there are issues with sensitive data being stored on devices, we also see sensitive data communicated from the device to back-end services with little or insufficient protection. Mobile devices have a tendency to connect to a lot of untrusted networks where a variety of different classes of attackers may be able to observe traffic.
Finally, far too many mobile applications do a bad job of making trust decisions. This is most frequently found when developers fail to enforce even simple authorization controls for the web services that support mobile applications. Faulty trust decisions can also be found in a myriad of other situations when the interactions between the components of the mobile application have not been thoroughly examined.
Mobile apps need to be developed with the expectation that users are going to jailbreak or root the device and unintentionally install apps that are malicious. Because of this, security-critical decisions should not be made on the device or – if they are – those decisions need to be re-checked on the server side.
As for best practices, data classification is critical. Organizations need to be able to articulate the different types of data to be used by mobile applications. Specific guidelines then need to be provided on how different data types should be handled. Do you really want to let every developer individually decide whether or not it is OK to store a user’s password on the phone? Do you want developers rolling their own “protection” schemes to obfuscate data stored on device? Of course not – these decisions need to be made by organizations and communicated to developers to implement. Risk managers that fail to do this should expect the pandemonium that ensues.