SAN FRANCISCO -- Developers of mobile applications must be more careful in designing them securely to give protection to the back-end systems supporting them or they might face a backlash from users, consistent with a noted software security expert.
Jacob West, director of software security research for the Enterprise Security Products division at Hewlett-Packard, warned a huge group of security professionals at RSA Conference 2012 that many mobile applications are built with shoddy coding practices and unnecessary permissions that open weaknesses to attackers.
“Who goes to be held answerable for security mistakes within the application layer on mobile devices?†West asked. “The wrath goes to be unleashed in some direction and a few of the blame might land with mobile app developers.â€
It's unclear what entity will be blamed if a significant security breach happens since the mobile ecosystem is fragmented between mobile application developers, firmware makers and cell carriers, West said.
Secure mobile application development is becoming more paramount because newer applications are being built having the ability to persist operational data at the device. Common vulnerabilities comparable to cross-site scripting (XSS) or SQL injection could put data in danger, he said. “Data persistence at the local device is a huge shift in mobile development and a space the industry is targeting,†he said.
West also railed against issues touching on intent, or the power for applications to speak to different device components. He said some applications should be at risk of intent hijacking, enabling a malicious application to snoop on an application. For instance, an application's search API must send data to its results UI module, using intent. The answer is for developers to code in “explicit†intentions, a means that's not commonly known among many developers.
West urged developers to make use of parameterized interfaces to circumvent SQL injection errors and warned against requesting unneeded permissions, which can result in privilege escalation attacks and desensitize users.
“We can't take into account the mobile app itself; we need to secure the total ecosystem,†West said. “We cannot just specialize in 2,000 lines of code running at the device, but in addition the back-end infrastructure.â€
Enterprises also wish to consider the servers that the apps tap into to display data, West said. Those systems must be pen tested and fuzzing must be conducted on the connection points to weed out weaknesses posed by feeding data to mobile applications. Currently there isn't any great way to pen test a mobile application. How you can make sure the mobile application is free from critical vulnerabilities is to envision its source code because typically there's not plenty of it, West said.
Companies are being increasingly pressured to support all mobile platforms, West said. The frenzy get an application onto mobile platforms has many organizations outsourcing mobile application development to 3rd-party providers without knowledge about their security processes and capabilities, he said.
Gerald Green, who works for a mobile application gaming publisher, said his team is consistently pushed to quickly create new features. He said some organizations only care about getting an application out quickly after which ramping up new features that the user has to purchase at an extra cost.
“There are different strategies, but i do know we're constantly told we have to do more,†Green said.
Many of the mobile app security strategies suggested by West are known by developers, but most are still learning the hot coding languages and gaining a more robust understanding of the available documentation from Apple and Google, Green said. Mobile applications are still being treated as extensions of Web applications and aren't necessarily getting the identical treatment and due diligence that an ordinary desktop application would receive.
View all of our RSA 2012 Conference coverage.
Nessun commento:
Posta un commento
Comments links could be nofollow free