Aug 02, 2016 By Kevin Beaver
Mobile apps arguably have the greatest number of security flaws of any enterprise system – and no one seems to know much about them. Mobile app security flaws are numerous across all types of business apps. But why?
Perhaps it’s the mentality that “it’s just an app” or the reality that many business owners, especially those in smaller businesses who might not have advanced security, fall for the marketing hype of “we’ve got to have a mobile app,” without including security in the discussion. Mobile apps are as complex as ever, yet the security flaws are very predictable – and the bad guys know it.
Recent examples of the technical security flaws in mobile apps I’ve found include:
- Unencrypted communication sessions
- Weak passwords
- Hard-coded passwords and cryptographic keys often for connecting to critical back-end systems
- SQL injection
- Sensitive information left behind, even after uninstalling
Vulnerabilities such as these can quickly create business risks, not to mention compliancegaps for PCI DSS, HIPAA and so on.
What does it take to find and eliminate these security flaws or, better yet, avoid them altogether? These things are largely dependent on acknowledging the challenges in the first place. Mobile apps need to be part of your information risk management program which means that they need to be tested ideally during the SDLC or, worst-case, during ongoing security assessments or after any code or application environment changes are made. You need to look at your mobile apps from the perspectives of penetration testing, forensics, andsource code analysis because they’re all going to uncover different things.
Free Resources for Mobile App Security
I’m also a big proponent of using resources from outside parties – especially when they’re free. Good examples include the following:
- OWASP Mobile Security Project
- Cloud Security Alliance Mobile Working Group’s June 2016 whitepaper Mobile Application Security Testing Initiative
- Mobile Health App Developers: FTC Best Practices
- NIST Special Publication 800-163 Vetting the Security of Mobile Applications
Mobile apps not only present great business opportunities but also opportunities for ill-gotten gains. Even if they are seemingly benign marketing or field apps that process and store nothing of value, they can serve as an entry point or steppingstone into a bigger environment that can be used against you and your business. You wouldn’t let that happen with web applications – mobile apps should be no different.