Andrew Hoog is Founder of NowSecure and a Board Member.
How are mobile and web security different?
Because your code runs on somebody else’s device, there’s a much bigger attack surface than if your code is running on a server that you control behind firewalls and things of that sort. So there’s actually quite a bit of attack surface there.
Mobile devices collect a lot of information that your browser or your computer doesn’t collect. Mobile devices go with us everywhere.
How does NowSecure focus on mobile app security?
We tend to focus on flaws that would really impact the integrity of the data, the information about the individual … and there’s a whole bunch of ways that things can go wrong there.
Traditional things like a man in the middle attack, where developers struggle with how to implement encryption. There’s a couple of big mistakes that they make. One of them is they try to roll their own, which is a very bad idea, and they shouldn’t do that.
The second thing that developers tend to do is they will have test code that makes it easy for them to develop without all those security controls in place. Sometimes they’ll forget to re-enable all of the controls when they go to production, or they simply won’t understand how to do it properly. So there’s a lot of different things that can go wrong.
How does 3rd party code affect app security?
It’s complicated significantly by the fact that mobile apps contain a lot of third party code. The challenge folks have is not only did I write my application, but did the third party library that I’m using properly write in their code and test it? When I make an update and they have a new SDK, is that one secure?
What can go wrong trying to set up your own mobile app testing?
There’s a lot of things that can go wrong:
- Your data not being protected in transit.
- Leaving sensitive information on the device.
- Configuration issues that will lead to your data being backed up or transmitted.
- Leaving too many activities world-readable, world-accessible so that other apps on the phone can extract information.
Best practices when thinking about mobile app security
NowSecure found the best way to deal with [mobile app security], coming from our forensics background, is in a very empirical way. You can do a bunch of testing of your code. You can do source code analysis and typically generate a lot of false positives. You spend a lot of time looking at the results. Or, you can simply look at your app in a hostile environment and then find out:
- Am I able to intercept the traffic?
- Do you leave sensitive data on the device?
- Could I do a sequel injection attack against your mobile app?
That empirical approach has allowed us to eliminate almost all false positives, but to also interrogate the application in a hostile environment — which is exactly what you need to do when you secure your app.
NowSecure believes mobile apps and mobile devices can be a more secure way for enterprises and agencies to operate. The important premise to that entire idea is that you make sure that you vet your mobile apps ahead of time so when they are actively in a hostile environment, they’re able to thwart that attack.
What we find today is about 85% of the apps out there don’t successfully repel an attack. There’s a long way that the industry has to go. The great news is that we built a lot of tooling to help address that with automation.
NowSecure’s goal is to make sure the mobile apps you produce are as safe and secure as possible. Try a demo of our Platform today to see the difference we can make!