TORONTO -- Two security researchers at the SecTor 2010 conference demonstrated a variety of mobile application security vulnerabilities, which they say are similar to errors made by developers coding early Web applications.
It's a lot of the same overarching kind of attack classes and vulnerabilities, just in a smaller form factor.
senior consultantIntrepidus Group
Mobile applications made for a variety of mobile platforms -- including Apple's iOS, Research In Motion Ltd.'s BlackBerry OS and Google's Android operating system -- contain coding errors that could lead to data leakage or privilege-escalation vulnerabilities, according to application security experts Mike Zusman and Zach Lanier of New York-based security consultancy Intrepidus Group. The work presented was based on penetration tests conducted on a variety of mobile applications, using tools to decompile code, find bugs and gain access to confidential data or cause the application to function abnormally.
Developers are eager to jump on the popularity of mobile applications on smartphones. Online marketplaces for applications have made it easy for coders to create an application and make it available to millions of potential users. However, coding experts say the smartphone marketplaces have fostered a new wave of developers, often less skilled, building applications as quickly as possible to gain as much visibility and profit as they can.
The rush to write code for the mobile space is similar to developers flocking to Web application programming in the 1990s, according to Lanier. With fewer skilled programmers, the need for speed leads to common mistakes, he said, including poor file-system permissions and application permissions that are too lax, enabling the application to do too much on the device.
"We're seeing the usual issues where people are pushing product to market real fast," Lanier said. "It's a lot of the same overarching kind of attack classes and vulnerabilities, just in a smaller form factor."
Lanier said that simply by turning on a smartphone, a user is granted a lot of access to services that he or she may not know about. Some mobile application developers seem to be trying to take the right steps, such as the adoption of open standards, but many are doing so inconsistently, Lanier said. For example, he said there isn't a lot of agreement on which of the open standards to use.
In addition, applications that sync data between a device and the cloud have authentication and authorization bugs, leaving them open to attack by a savvy hacker. The issues are often found on the server side when the mobile application talks to the server to retrieve data. Researchers have also been studying ways to access mobile application data cached on the device to tap into apps that may be leaking information, Lanier said.
"There's this really tight coupling between Web applications and mobile applications and they are on diverging paths," Lanier said. "An issue in one can cause an issue in another."
The two researchers presented a description of a variety of mobile applications they decompiled and tested. Lanier highlighted location-based social networking service Foursquare, which provides users of Google Android phones an application called Foursquared. The application was designed to support basic authentication and the more secure open authentication protocol OAuth. Despite having code to support OAuth, the developer chose to use basic authentication. "The code was there," Lanier said, "but it was never flipped on by the developer."
Zusman highlighted work he did on a third-party picture uploader application designed for BlackBerry phones that had a bug that could be exploited when the user attempted to upload an encrypted photo. When the encrypted image reached a certain bytes threshold, it crashed, enabling a hacker to gain access to the phone. The application was riddled with a variety of other generic Web application security flaws, he said.
New mobile OWASP arm planned
Zusman is working with other volunteers within the Open Web Application Security Consortium (OWASP) to create a mobile applications version of OWASP. The first step will be to create a top 10 list of issues affecting mobile applications, he said. Then the group plans to collect coding best practices for specific mobile platforms, a daunting task because each platform provides its own standard classes and standard frameworks.
"At this point, there's a lack of guidance, standards and best practices and we're looking to change all that," Zusman said. "We're neglecting all the lessons we've already learned and falling into the pitfalls again."