7 Serious Mobile Application Security Risks
Mobile App Makers Repeat Costly Mistakes
Independent software makers, consultants and other solution providers that help clients create mobile applications are repeating many of the same mistakes that led to weak and poorly protected Web applications, according to software security experts. Poor coding practices result in costly weaknesses that can give attackers a pathway to sensitive data, including corporate information, said Rick Doten, chief information security officer at Bethesda, Md.-based Digital Management. Doten, who is exploring how to apply the SANS Institute's 20 Critical Security Controls to mobile security for the Council on Cybersecurity, said today's mobile application weaknesses parallel the security flaws of years past. The Ponemon Institute, which surveyed 618 IT and IT security practitioners about their mobile security practices, identified a number of serious mobile application security risks. Here are the most dangerous errors.
Insufficient Cryptography
Poorly implemented encryption can give application owners and their users a false sense of security, say experts. An attacker can bypass the encryption altogether or find a key that is improperly stored in the app, enabling full access to the encrypted data. Custom encryption implementations are often weaker than strong crypto libraries, enabling an attacker to use automated tools to crack the encryption algorithm. The costly error can enable an attacker to elevate privileges or result in fraud, enabling users to circumvent licensing or payment schemes, according to software security experts at the Open Web Application Security Project.
Insufficient Data Storage
In addition to weak and poorly implemented encryption, Ponemon survey respondents said mobile apps often lack proper storage-handling processes and controls. In a recent interview with CRN at the MIRCon incident response conference for response teams and forensics investigators, Digital Management's Doten explained that many mobile applications are Web-based and have the same threats to user credentials. Data needs to be properly protected when stored and controls should be in place when the data is synced to cloud-based services.
Improper Access To Sensitive Data
Mobile app coding errors that enable access to sensitive data often enable attackers to bypass permissions or gain user account credentials or access to a stored session, according to the Open Web Application Security Project, which maintains a list of some of the most frequent mobile application security vulnerabilities. The costly errors can be exploited by attackers to steal data, alter information or escalate privileges to gain access to more sensitive resources. The Ponemon study cited the improper access as one of the most serious risks.
Poorly Implemented Authorization And Authentication
Attackers can take advantage of poorly implemented authorization to elevate privileges and access resources that typically are off-limits to users. Poorly implemented authentication can open a password-protected mobile app to brute-force attacks or can simply enable an attacker to steal credential tokens to hijack a user's session.
Poorly Protected Application Access Servers
Security experts have been warning that a future vector for mobile attacks could be the back-end resources that support mobile applications instead of the mobile application or mobile device itself. By gaining a foothold into the back-end services, a criminal can access a variety of data and could move laterally to more sensitive systems and data. If a mobile app is sending or receiving sensitive personal information, it should use SSL to protect communication between the app and the back-end systems, said Digital Management's Doten. Mobile apps also can be coded to require the mobile device to enable a VPN connection to tap into back-end systems.
Poorly Protected Identity Credentials
According to security researchers at Trustwave, criminals primarily are after user credentials. They are after device credentials and account credentials for email, banking and social networks and other sensitive account information. A review of poorly coded applications found hard-coded credentials, a sign of terrible coding practices, Trustwave said. Rather than storing passwords, the app can store a temporary "session key" or randomly generated value once a user is authenticated by the back-end server.
Improperly Protected Data In Transit
Poorly protected data in transit enables attackers to conduct a man-in-the-middle attack. Essentially, the attacker can sit in between a user and the underlying servers that the app taps into to snoop on communications. Proper protection of data in transit may require a VPN session or an SSL protected session. Digital Management's Doten recommends companies conduct error checking of mobile apps to assess user input and test custom in-house applications to identify and address serious errors. If outsourcing the development of a mobile application, it is always a good practice to state security requirements in contractual agreements, he said.