Addressing Mobile App Security

Expert Offers Five Tips on Minimizing Risks

By , June 21, 2012.
Addressing Mobile App Security

Some organizations are focusing so much attention on the bring-your-own-device trend and on implementing a mobile device management system that they're "not really giving developers the resources they need to build secure code for mobile applications," says security expert Jeff Williams.

See Also: Don't Be The Next OPM: Recognizing Risk

As organizations rush to get mobile applications out into the marketplace, coding mistakes are being made, leaving vulnerabilities that might be exploited by hackers, says Williams, CEO at Aspect Security, a consulting firm focused on application security.

"Unfortunately, we're seeing many of the same kinds of mistakes that we saw in web application code from a decade back," he says in an interview with Information Security Media Group's Howard Anderson (transcript below).

In an interview, Williams offers five tips for addressing application security, including:

  • Set rules for those using applications on personal mobile devices to complete business transactions. For example, control what applications they can use and make sure the organization has the right to remotely wipe the device if it's lost or stolen.
  • Minimize the amount of sensitive data stored using mobile apps. If data must be stored on a mobile device, protect it in an encrypted container or "sandbox" with a strong access code.
  • Lock down all interfaces to the server housing an organization's mobile applications.
  • Make sure developers get advanced training on how to write secure mobile applications.
  • Have all mobile applications reviewed for security, including conducting penetration tests, before they go live.

Williams is CEO and co-founder of Aspect Security, a consulting firm focused on application security that serves clients in the government, defense, financial, healthcare, services and retail sectors. Williams and his team are founding members of the Open Web Application Security Project, or OWASP.

Application Security Issues

HOWARD ANDERSON: When it comes to mobile technologies, including smart phones, tablets and other devices, what are the major application security issues today?

JEFF WILLIAMS: I'm going to focus just on the application security piece of it, not bring-your-own-device - better known as BYOD - or mobile device management. I'm really focused on the applications themselves and the data they protect. Most mobile apps have a server side and then several different clients, and the clients could be HTML5, iPhone, Android, Blackberry or whatever. Let me try to paint a picture for you. Imagine a sort of bubble that extends from your company's data center over a whole bunch of networks - maybe some Wi-Fi and across long distance networks and so on - and ends up inside your mobile device. When you're extending your enterprise and your data out through this bubble, now it's your job to protect the bubble.

Here are some of the kinds of ways that there's exposure there. When the attacker steals your phone or gets a malicious app onto your device, you've got to ask yourself if they can get inside that bubble somehow. You want to make sure that your data's protected when it's on a device; you want to make sure your data is protected when it's in transmission between your data center and the device; and then you've got to make sure that your application itself is hardened. It's got to be rugged code. You've got to ask yourself, "Is that application susceptible to attack?" Or did you maybe leave the keys lying around somewhere so that an attacker can find them and then break into your application?

Risks to Organizations

ANDERSON: In general, do you think organizations that are ramping up their use of mobile technologies are paying adequate attention to application security issues? And what risks do they face if they don't address application security adequately?

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Settlement in Zappos Breach Case

Online shoe and clothing retailer Zappos has reached a settlement with nine state attorneys general...

Latest Tweets and Mentions

ARTICLE Settlement in Zappos Breach Case

Online shoe and clothing retailer Zappos has reached a settlement with nine state attorneys general...

The ISMG Network