Some organizations are focusing so much attention on the bring-your-own-device trend and on implementing a mobile device management system that they're "not really giving developers the resources they need to build secure code for mobile applications," says security expert Jeff Williams.
As organizations rush to get mobile applications out into the marketplace, coding mistakes are being made, leaving vulnerabilities that might be exploited by hackers, says Williams, CEO at Aspect Security, a consulting firm focused on application security.
"Unfortunately, we're seeing many of the same kinds of mistakes that we saw in web application code from a decade back," he says in an interview with Information Security Media Group's Howard Anderson (transcript below).
In an interview, Williams offers five tips for addressing application security, including:
- Set rules for those using applications on personal mobile devices to complete business transactions. For example, control what applications they can use and make sure the organization has the right to remotely wipe the device if it's lost or stolen.
- Minimize the amount of sensitive data stored using mobile apps. If data must be stored on a mobile device, protect it in an encrypted container or "sandbox" with a strong access code.
- Lock down all interfaces to the server housing an organization's mobile applications.
- Make sure developers get advanced training on how to write secure mobile applications.
- Have all mobile applications reviewed for security, including conducting penetration tests, before they go live.
Williams is CEO and co-founder of Aspect Security, a consulting firm focused on application security that serves clients in the government, defense, financial, healthcare, services and retail sectors. Williams and his team are founding members of the Open Web Application Security Project, or OWASP.
Application Security Issues
HOWARD ANDERSON: When it comes to mobile technologies, including smart phones, tablets and other devices, what are the major application security issues today?
JEFF WILLIAMS: I'm going to focus just on the application security piece of it, not bring-your-own-device - better known as BYOD - or mobile device management. I'm really focused on the applications themselves and the data they protect. Most mobile apps have a server side and then several different clients, and the clients could be HTML5, iPhone, Android, Blackberry or whatever. Let me try to paint a picture for you. Imagine a sort of bubble that extends from your company's data center over a whole bunch of networks - maybe some Wi-Fi and across long distance networks and so on - and ends up inside your mobile device. When you're extending your enterprise and your data out through this bubble, now it's your job to protect the bubble.
Here are some of the kinds of ways that there's exposure there. When the attacker steals your phone or gets a malicious app onto your device, you've got to ask yourself if they can get inside that bubble somehow. You want to make sure that your data's protected when it's on a device; you want to make sure your data is protected when it's in transmission between your data center and the device; and then you've got to make sure that your application itself is hardened. It's got to be rugged code. You've got to ask yourself, "Is that application susceptible to attack?" Or did you maybe leave the keys lying around somewhere so that an attacker can find them and then break into your application?
Risks to Organizations
ANDERSON: In general, do you think organizations that are ramping up their use of mobile technologies are paying adequate attention to application security issues? And what risks do they face if they don't address application security adequately?
WILLIAMS: We've got a mobile security practice at Aspect, and we regularly review apps for IOS and for Android and Blackberry, and we look for different kinds of security holes that might be able to be exploited by an attacker. Unfortunately, we're seeing many of the same kinds of mistakes that we saw in web application code from a decade back. Many organizations are so busy wrestling with BYOD and MBM. And they're trying to be the first to market so they're dealing with whatever business pressures ... to get their app into the app store really quickly and they're not really giving development the resources that they need in order to build secure code for mobile. Some of the impacts that can happen if you don't adequately protect your apps are pretty serious. Like I mentioned before, I think of a mobile app like a gateway into your enterprise, and you have people sort of randomly connecting from places like Starbucks and downloading applications with who knows what code in them and running them on this device. They may jailbreak their devices.
One of the most interesting things about mobile is that you're almost guaranteed that people in the organization are going to lose their devices. And once an attacker has physical possession of the device, it's extremely difficult, if not impossible, to prevent them from breaking into the device and getting the data that's on there. Some of the impacts that we see are organizations that are losing sensitive data like e-mail and sensitive documents that they may have loaded on their app.
Actually one of the worst things that can happen is if the data that gets compromised are the credentials that allow your employee to get onto your internal network. Imagine they can access your network using a VPN or some other kind of gateway to get into your organization. Well, if the attacker steals that credential or the mobile app doesn't protect it properly and the attacker can get to it, then the attacker has pretty much full access to your enterprise. The attacker can get on your network because of a flaw in a mobile device.
Steps to Protect Mobile Apps
ANDERSON: What are some of the most important steps organizations can take to protect mobile applications against attacks?
WILLIAMS: I've got a few simple recommendations. I think the first thing is you do actually have to deal with BYOD and MBM policies. You've got to set some rules, and I think it's reasonable to ask people to take some precautions if they want the privilege of being allowed to access work data on their mobile device. I've seen organizations that are adopting a tiered model where they have public Wi-Fi available to anybody ... and if you want to bring in your mobile device and access Wi-Fi while you're at work, great. There's really very little risk in doing that, although there may be some legal exposure that the lawyers might want to look at, but really from a technical security point of view, it's pretty innocuous. I've seen other organizations establish a next level up where if you want access to [certain] data, then you have to agree to certain terms. Then, if you want to do transactions, like actually have transactional apps on your mobile device, then you've got to really sign up for a full agreement and give the organization a lot of rights, like being able to remotely wipe the phone, control over what apps you can run and prevention against jailbreaking.
Now for your applications, the first thing is that they should really minimize the sensitive data that you'll allow to be stored on the phone. That's the data that's going to cause exposures. The best thing you can do is not put it on the phone. Maybe you can keep it in memory or keep it on the cloud but don't allow it to get stored on the phone. If you have to store encrypted data, then I think organizations should provide their developers with an encrypted container - some kind of solution that will make sure that all the data that lands on the phone ends up encrypted, so even if the phone gets lost, stolen or compromised, that data is still protected.
Now you're going to need to make sure you have a strong access code on that container that the user has to enter every time in order to access it. I believe mobile operating systems are going to add this kind of container support soon, but they're not available in older platforms.
On the server side, you still have to be careful even if the server application is only servicing mobile apps. You have to make sure that the server code is locked down, the same way that you would lock down a public web service or even a public-facing web application. Unfortunately, we see development teams forget to lock down those interfaces because they can't get to them using a browser. They think that, "Oh, well you need to have the app in order to access that interface," and hackers don't need the app. They can access it without the application. They can use their tools to access those services directly, and then if they're not fully protected, they can use them to do things like SQL injection and command injection, and other kinds of access control attacks to break in and steal your data. You've got to make sure you lock down the server side.
I think your developers really need training in order to be able to write secure mobile apps - and that's on both the client side and the server side. You need a really great hands-on course from an instructor who has got some experience with mobile. And I would steer away from those courses on how to hack mobile apps or 'black hat' kinds of courses. What you really want is a course in writing secure code for mobile applications.
Then the last thing is it's always a good idea to get a deeper view of those apps that you're putting in the app store or making available to your employees somehow. You should get them reviewed. Get somebody who can do a code review and do some real penetration testing. And one thing you've got to be sure is make sure that they actually check the file system of the mobile device. We see all kinds of stuff getting placed in the file system that leads to real vulnerabilities.
Application Security Advice
ANDERSON: Finally, what other application security advice would you offer to organizations that are making a big shift from desktop to mobile devices?
WILLIAMS: I think if you're a security person, there's a tendency to look at new technologies as always very insecure and damaging. But you can't forget about the productivity gains that these devices are unlocking. People want these things because they're helping them to get more work done faster, so don't forget about the upside. I like to be in the business of figuring out ways it can work securely rather than being in the business of saying no.
Also, don't forget that none of this is really a new problem. You may be already accepting a lot of these risks if you allow people to work from home with their own computer; you probably already have all of these problems because there's a good chance that their machine has already been compromised. Even if you have a VPN connection, their browser or their operating system - the other end of that bubble that I described at the beginning - could be compromised. ...
For mobile and desktop and many kinds of remote computing, the long-term solution is to have ... some kind of sandbox that your mobile apps can run in and your data can live in that will be protected even if the device gets compromised. I suggest you start your development teams out with a clear picture of the technology challenge here and the security risks associated with trying to create that kind of environment. And I always think if you clearly describe the risk that you're trying to overcome and the technical challenges, the development teams are really great at coming up with good solutions to solving their security problems.