In part one of this SearchCIO tip, mobility security writer Evan Schuman offered three of six tips on how to avoid...
mobile security problems. Here are #4, #5, #6 on his list.
One of the most common mobile app security techniques is to employ automated scripts or programs designed to identify common security problems. The approach can be attractive to small businesses because it's both quick and comparatively inexpensive. Unfortunately, the growing complexity of even the most basic mobile apps today creates security problems that an automated script won't catch. Because of that, small businesses should consider hiring a mobile app security expert, who is both different from a mobile app development expert, a security expert or even a Web security expert.
"Mobile app testing is extremely different from any other type of testing," said Daniel Miessler, who oversees mobile app testing procedures at HP's Fortify unit. "You have to look at the mobile client, the network and the server. These all provide plenty of opportunities where you can drop breadcrumbs of data."
And don't feel this security gap is just a small business problem. A recent victim? Wal-Mart Stores Inc., the largest company in the United States by revenue. Wal-Mart's mobile app gathered and retained internal references, developer names, geolocation history and even passwords -- none of which Wal-Mart knew about, despite extensive internal testing, much of it done through automated scripts. It wasn't until a mobile security tester looked under the covers of the Wal-Mart app he had downloaded to his iPhone that the extent of its security holes was determined.
Daniel Wood, certified information systems security professional and Global Information Assurance Certified penetration tester is a longtime mobile app security researcher. Automatic scanning and analysis will catch many security defects and vulnerabilities, Wood said, but with automatic methods, a business is going to only see a partial picture of its attack surface. "Nothing can replace a knowledgeable tester who has real programming ability and security testing skills and is able to look at applications from not just the programming side -- the source code -- but also at the business logic of the application as well," Wood said.
An example where automatic scanning has limitations is in identifying Cross-Site Scripting (XSS) vulnerabilities or when an attacker disguises malicious coding and inserts it into a link that otherwise looks trustworthy. "Manual testing may be able to pick up an XSS vulnerability in the way an application stores documents or uses a special feature to allow users to annotate PDF documents in their browsers," Wood said. "If an application has this functionality, a security tester (or a thief) could create a malicious link in the annotation that pops the XSS vulnerability in the browser and steals a victim's sessions. An automated scanner will not understand the logic to do a test like this."
Recommendation #4: Scripts are great for movies but not for mobile app security. When it comes to mobile app security testing, give a human a try.
Remember the password, avoid the autofill
Even if you are asking for minimal sensitive information and are offering little-to-no true customization, mobile experts stress the importance of passwords. Why? To provide an easy and accurate way of keeping tabs on who is doing what on your site. If a favorite customer has repeatedly looked at a specific product on your app, that behavior might be helpful data.
In the interest of making all interactions with your company as effortless as possible, businesses may want their mobile apps to remember -- or autofill -- the customer's password so the customer need not type it in every time the app is launched. Mobile app security problems at some of the nation's biggest brands suggest a piece of contrarian advice: Resist this temptation. In an effort to protect your customers, decide against this one convenience.
Although there is no shortage of secure ways to allow passwords on a current mobile device to be saved, there is also no shortage of high-profile apps that have had problems. Starbucks saved passwords and accidentally retained them in plain text, for anyone to see. Delta Airlines was smart and encrypted its customers' retained passwords. (Good airline!) Unfortunately, Delta also saved -- in clear text -- the encryption key. (Bad airline!)
Godfrey Nolan, founder and president of IT services firm Research Into Internet Systems LLC and the author of Android Best Practices, found that Delta security hole.
"If there is any sensitive information on your app that you wouldn't want anyone else to see, then always make sure the user has to log in with a username and password," Nolan said. "And they should always have to enter their password each and every time the app is opened. If that's not the case with your app, then the password is probably being saved locally, which is an impressively bad idea."
Recommendation #5: The risks associated with retaining customer passwords outweigh the customer convenience of retaining them. For the vast majority of apps offered by small businesses, asking customers to type in their passwords when the app is launched is not a big deal. Forgoing this layer of security poses a risk. Remember that a password can then be used online to perfectly impersonate your customer.
Think of third-party interactions as the land of infinite gotchas
The biggest mobile app security problem today is not what a company's developer does with its app, nor what some third-party program (incorporated within the company's mobile app) does. It's the security holes that result from the unintended interactions. Going back to the Starbucks example, the retail chain's problem with retaining customer passwords in clear text was not the doing of its programming. The data was grabbed by a popular crash analysis program called Crashlytics (also used by Wal-Mart -- and now owned by Twitter).
Starbucks said the password retention wasn't its fault because the retailer didn't retain the data; Crashlytics did. Crashlytics people said it wasn't their fault because they provide customers with explicit instructions on how to deploy its program and settings. Turns out it was Starbuck's fault, as Wal-Mart deployed the same Crashlytics program and did not allow it to save passwords.
Recommendation #6: Test, test, test. Given the tight IT budgets of small businesses, there is a need to repurpose the functionality of existing technology to deliver the standard functionality also used by mobile apps. But keep in mind those programs were not tested working with each other and not tested interacting with your mobile app. Before taking on the responsibilities that come with a mobile app, test it yourself to find any problems. Do it before your neighborhood cyberthief does it for you.