One of the most common issues we see time and time again: teams that have adopted web application security testing assume that their mobile apps are also covered by these tools and practices. Nothing could be further from the truth. We’ve asked members of our team, from our founder to our security researchers, what’s behind these misconceptions and what it is that makes web and mobile app security so different.
Mobile app binaries do not sit behind firewalls like web apps do, and do not have built-in SSL. Securing network communication, data storage, and data transfer of mobile apps is also more complex.
How are mobile and web security different?
Andrew Hoog, NowSecure founder and board member
Because your code runs on somebody else’s device, there’s a much bigger attack surface than if your code is running on a server that you control behind firewalls and things of that sort. So there’s actually quite a bit of attack surface there.
Mobile devices collect a lot of information that your browser or your computer doesn’t collect. Mobile devices go with us everywhere.
Andrew Hoog, NowSecure founder and board member
Mobile and web have fundamentally different architectures. In fact, for a web application, 98% of the actual application runs behind the firewall, so you have your entire perimeter defense that you can use to build layers to defend that back-end. A really good web coding strategy is minimal code running in a browser on a client. In fact, that browser client itself has SSL and encrypted tunnel built-in, and the developer for that browser-based application doesn’t have to deal with anything in terms of infrastructure or security where that browser runs.
Brian Reed, chief mobility officer at NowSecure
Flip that over to mobile, it’s a completely different animal. Yes, they might share some APIs on the back-end, but the reality is a mobile application runs on an entire operating system and all the code, 100% of that code, is on the operating system. Because of the quality of reversing tools today, any attacker or developer or security analyst can completely reverse an application on iOS or Android. And so basically, your IP itself is not safe on that device, and you should assume that an application would be reversed.
What are the biggest misconceptions of mobile versus web security?
Some of the misconceptions around mobile app security are that static analysis is all you need, that mobile app security and web security are the same so you can treat them the same, and you don’t need an actual device to test the app.
The most common vulnerability that I see companies continue to ignore is using HTTP. It’s alarming how many big financial services companies use HTTP still. When we first met this customer, they didn’t have any security in place, and we provided a solution for them to lay a proper security foundation. For those who don’t know, cert pinning is a network security mechanism that is really complex to talk about.
Rono Dasgupta, former mobile security analyst at NowSecure
How does NowSecure focus on mobile app security?
AH: We tend to focus on flaws that would really impact the integrity of the data, the information about the individual … and there’s a whole bunch of ways that things can go wrong there.
Traditional things like a man in the middle attack, where developers struggle with how to implement encryption. There’s a couple of big mistakes that they make. One of them is they try to roll their own, which is a very bad idea, and they shouldn’t do that.
The second thing that developers tend to do is they will have test code that makes it easy for them to develop without all those security controls in place. Sometimes they’ll forget to re-enable all of the controls when they go to production, or they simply won’t understand how to do it properly. So there’s a lot of different things that can go wrong.
How does third-party code affect app security?
AH: It’s complicated significantly by the fact that mobile apps contain a lot of third-party code. The challenge folks have is not only did I write my application, but did the third-party library that I’m using properly write in their code and test it? When I make an update and they have a new SDK, is that one secure?
What can go wrong trying to set up your own mobile app security testing?
AH: There’s a lot of things that can go wrong:
- Your data not being protected in transit
- Leaving sensitive information on the device
- Configuration issues that will lead to your data being backed up or transmitted
- Leaving too many activities world-readable, world-accessible so that other apps on the phone can extract information
Best practices when thinking about mobile app security
AH: NowSecure found the best way to deal with [mobile app security], coming from our forensics background, is in a very empirical way. You can do a bunch of testing of your code. You can do source code analysis and typically generate a lot of false positives. You spend a lot of time looking at the results. Or, you can simply look at your app in a hostile environment and then find out:
- Am I able to intercept the traffic?
- Do you leave sensitive data on the device?
- Could I do a sequel injection attack against your mobile app?
That empirical approach has allowed us to eliminate almost all false positives, but to also interrogate the application in a hostile environment — which is exactly what you need to do when you secure your app.
NowSecure believes mobile apps and mobile devices can be a more secure way for enterprises and agencies to operate. The important premise to that entire idea is that you make sure to vet your mobile apps ahead of time so when they are actively in a hostile environment, they’re able to thwart that attack.
What we find today is about 85% of the apps out there don’t successfully repel an attack. There’s a long way that the industry has to go. The great news is that we built a lot of tooling to help address that with automation.
NowSecure’s goal is to make sure the mobile apps you produce are as safe and secure as possible. Try a demo of our Platform today to see the difference we can make!