SAN FRANCISCO -- Developers of mobile applications need to be more careful in designing them securely to protect the back-end systems supporting them or they could face a backlash from users, according to a noted software security expert.
Jacob West, director of software security research for the Enterprise Security Products division at Hewlett-Packard, warned a large group of security professionals at RSA Conference 2012 that many mobile applications are built with shoddy coding practices and unnecessary permissions that open weaknesses to attackers.
“Who is going to be held accountable for security mistakes in the application layer on mobile devices?” West asked. “The wrath is going to be unleashed in some direction and some of the blame might land with mobile app developers.”
It’s unclear what entity would be blamed if a major security breach takes place because the mobile ecosystem is fragmented between mobile application developers, firmware makers and cell carriers, West said.
Secure mobile application development is becoming more paramount because newer applications are being built with the ability to persist operational data on the device. Common vulnerabilities such as cross-site scripting (XSS) or SQL injection could put data at risk, he said. “Data persistence on the local device is a big shift in mobile development and an area the industry is focusing on,” he said.
West also railed against issues pertaining to intent, or the ability for applications to talk to different device components. He said some applications may be vulnerable to intent hijacking, enabling a malicious application to eavesdrop on an application. For example, an application’s search API needs to send data to its results UI module, using intent. The solution is for developers to code in “explicit” intentions, a method that is not commonly known among many developers.
West urged developers to use parameterized interfaces to avoid SQL injection errors and warned against requesting unneeded permissions, which can lead to privilege escalation attacks and desensitize users.
“We can’t think about the mobile app itself; we have to secure the whole ecosystem,” West said. “We cannot just focus on 2,000 lines of code running on the device, but also the back-end infrastructure.”
Enterprises also need to consider the servers that the apps tap into to display data, West said. Those systems should be pen tested and fuzzing should be conducted at the connection points to weed out weaknesses posed by feeding data to mobile applications. Currently there’s no good way to pen test a mobile application. The best way to ensure the mobile application is free from critical vulnerabilities is to examine its source code because typically there is not a whole lot of it, West said.
Companies are being increasingly pressured to support all mobile platforms, West said. The rush get an application onto mobile platforms has many organizations outsourcing mobile application development to third-party providers without knowledge about their security processes and capabilities, he said.
Gerald Green, who works for a mobile application gaming publisher, said his team is constantly pushed to quickly create new features. He said some organizations only care about getting an application out quickly and then ramping up new features that the user has to buy at an additional cost.
“There are different strategies, but I know we are constantly told we need to do more,” Green said.
Many of the mobile app security strategies suggested by West are known by developers, but most are still learning the new coding languages and gaining a better understanding of the available documentation from Apple and Google, Green said. Mobile applications are still being treated as extensions of Web applications and are not necessarily getting the same treatment and due diligence that a standard desktop application would receive.
View all of our RSA 2012 Conference coverage.