Mobile App Security Name and Shame

Posted on July 8, 2015 by Nevlynn Janssen

mobile-app-security-name-and-shame-onegini

Samsung Keyboard Security Risk Disclosed: Over 600M+ Devices Worldwide Impacted.  This ominous title got the mobile app community rattled. It's all over the news and this is a huge branding disaster, not to mention the security impact on all the users who own these devices. 

 

Public Shaming

Publicly shaming of companies is done only when the named company is not doing enough to solve the uncovered issue. 

In this particular case the security risk was discovered in December of 2014.  Although Samsung provided a patch in early 2015 to mobile network operators. It is unknown if the carriers have provided the patch to the devices on their network.  In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.

This is just one example but according to the website HTTP Shaming created by Tony Webster, a consultant who was fed up with a number of mobile app developers not taking security seriously enough, there are many more companies out there who should be ashamed. 

 

Threats and Risks

The lax security of mobile applications and Web services is nothing new.  In July of 2014, application-management firm Appthority noted that about four out of every five mobile apps did something that put the user's data at risk, including tracking location, collecting data on the user, and sending information to social networks or advertising affiliates.  In January of 2014, a researcher at security firm ioActive found that 36 out of 40 banking applications had some unencrypted links.

Onegini Mobile Security Platform Brochure download button  

Preventing Game

Samsung example:

If the flaw in the keyboard is exploited, an attacker could remotely:

  1. Access sensors and resources like GPS, camera and microphone
  2. Secretly install malicious app(s) without the user knowing
  3. Tamper with how other apps work or how the phone works
  4. Eavesdrop on incoming/outgoing messages or voice calls
  5. Attempt to access sensitive personal data like pictures and text messages

Although not all of the above mentioned possibilities can be prevented by securing your mobile app it does prevent your mobile app from being used and sensitive data being stolen.  Obviously the eavesdropping, access pictures and text messages are not in your field of control.  And that brings me to the challenge when developing mobile consumer apps when you have no control over the device consumers use. 

In an enterprise environment for instance you can use a Mobile Device Management (MDM) solution to help you manage different devices employees use.  As long as they are using corporate issued devices there is nothing wrong with that picture.  But as soon as Bring Your Own Device (BYOD) comes into play you have a challenge, are you going to ask the employee to install software on their private device so you can control the device or are you going to 'trust' them to be secure?

This is a legitimate question and reasoning in an enterprise environment but when it comes to consumers with a plethora of devices and operating systems to choose from there is little to no control you have.

You would need to look for a solution that offers you high security with zero impact to the consumer across all mobile operating systems.  You would also want a solution that prevents malicious activities to have any effect on you application or data shared. 

Read our blog '7 Things You Need To Know Before Creating Mobile Apps'


Tip: Preventing starts with a fundamental shift in the way apps are currently being built, security should be part of the first stage of every development process.  The context phase which generally describes the functions and environment, application assets, security requirements and security assumptions. 

When you add security requirements and assumptions to the first stage you create a secure foundation for your app to be built on. 

Obviously you are not done with just adding the security requirements and assumptions to your process it also involves architectural threats, functional threats, threat libraries, secure coding, code audit, code review, pen tests, vulnerability scans fuzzing, abuse test, etc. 

Read our blog 'Secure software starts with secure software development'


 

In conclusion 

Mobile app security is not to be underestimated, you cannot relay your trust to the user or the mobile phone operating system vendor or even the mobile phone operator to handle the security. 

Once security flaws in your mobile consumer apps are exposed - which is just a matter of time - you will be publicly named and shamed. 

Wake up and smell the proverbial coffee, there is a simple solution out there called the Onegini Mobile Security Platform which handles it all. 

Thanks for reading and love to hear your comments

Nevlynn 

 

Onegini Mobile Security Platform Brochure download button

Sources: 

The Shame Game: Mobile App Security Under Fire, b

New website aims to publicly shame apps with lax security, by  

Article by NowSecure https://www.nowsecure.com/keyboard-vulnerability/

 

Topics: Security

White paper: Digital Transformation Insurance Companies