Ask the Expert
Do you have an application security question for Michael Cobb? Submit it now via email! (All questions are anonymous.)
In reality, it's a question of control. A user chooses whether to visit a particular webpage, but he or she has no control over who can send them an email. Though spam filters can be configured to block certain types of email content or email from particular addresses, some malicious or spam emails will inevitably get through. Websites that have digital certificates can be verified as genuine, and browser settings and plug-ins such as NoScript can control which scripts on webpages are allowed to run. But with email, it's easy for an attacker to spoof the sender details in the address field, meaning that unwanted and unrequested content can easily appear in an email client. Therefore, by default email has to be sanitized as much as possible, with the user being given the option of displaying additional -- and potentially dangerous -- content if they want to.
While the Mailbox app is not malicious and its behavior doesn't violate any of the App Store rules, its poor design could have easily been used by an attacker, particularly for delivering potent spear-phishing emails. While the data that could be stolen would be limited by the iOS sandbox, an email app has access to a lot of potentially valuable information. On a jailbroken device, the damage would be much worse.
Dig Deeper on Web application and API security best practices
Related Q&A from Michael Cobb
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading
See which encryption method uses digital signatures, symmetric key exchanges, bulk encryption and much more in this Diffie-Hellman vs. RSA showdown. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.