Essentials for Developing More Secure Mobile Applications - SECURITY INNOVATION
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SECURITY
INNOVATION
Essentials for
Developing More Secure
Mobile Applications
Table of Contents
OVERVIEW 3
CHALLENGES OF THE MOBILE PLATFORM 4
COMMON MOBILE RISKS AND ATTACKS 6
DATA RISKS 10
3 WAYS TO OPTIMIZE YOUR MOBILE APPLICATION 14
SECURITY PROGRAM
CONCLUSION 19
ADDENDUM: HOW SECURITY INNOVATION CAN HELP 20
Essentials for
Developing More Secure
Mobile ApplicationsOverview
T
oday’s mobile applications and anywhere-anytime connections
present significant opportunities for your business and its users.
Unfortunately, the opportunities also extend to criminals, who adapt
their tactics to exploit the mobile environment.
In order to mitigate risk, your development team must be vigilant about
building security into mobile applications – even as they face increasing
pressures of delivering functional and intuitive applications quickly and
cost-efficiently.
Security vigilance begins with the developers’ solid understanding of the
types of threats and attacks that are unique to the mobile platform so that
these can be considered and addressed with appropriate countermeasures
in application design, code, and testing.
To that end, this paper describes a range of mobile-specific threats and
risks for developers to be aware of. It also examines three core components
of an optimized mobile application security program that will support your
developers in the design of more secure mobile applications.
Reasons Why Mobile Apps
77% 68%
Contain Vulnerable Code
Rush to Lack of quality assurance
release pressures and testing procedures
73%
Lack of understanding or training
64% Lack of internal
on secure coding practices policies or rules
Percentages reflect participant responses reported in Ponemon Institute’s
State of Mobile Application Insecurity publication.1
Security Innovation Inc. 3Challenges of the Mobile Platform
T
he convergence of computing and communication technologies
is evolving continuously, with new mobile capabilities that can be
accessed anywhere, anytime. Although mobile devices are useful
and convenient, they are exposed to traditional desktop and server
system risks in addition to mobile-specific risks, which greatly expands
the mobile attack surface and threat landscape.
While vulnerabilities often are similar across the various desktop and
server computing platforms (Linux, UNIX, Windows, MAC Operating
System (OS), etc.), each has distinctive idiosyncrasies, built-in defenses,
attack vectors, and threats. The same is true – and even more
pronounced – with mobile platforms (Apple iOS, Google Android,
etc.), where issues arise as a result of unique challenges in hardware
and resource constraints, increased physical security risks, different
permission models, and a more complicated patching model. (See
Table 1. Mobile-Specific Challenges.)
Many popular desktop and server applications now can run on mobile
devices. For example, mobile devices can process database queries
and store small SQL files locally, exposing mobile applications to many
traditional application security risks. Unfortunately, mobile browsers
do not have the same level of security scrutiny as desktop browsers
and are more likely to have vulnerabilities. Also, new versions of mobile
operating systems are released continually; vulnerabilities that exist in
Operating System Version 1.0 more often than not are very different
from vulnerabilities that exist in Operating System Version 2.0.
Security Innovation Inc. 4Challenges of the Mobile Platform
Table 1. Mobile-Specific Challenges
Challenge Overview
Hardware and Mobile devices often have less processing power and
Resource Constraints memory than their desktop and server counterparts.
This makes the impact and overhead of employing
protection mechanisms (e.g., cryptography) more costly,
and testing more difficult. The smaller screens and
keyboards that are inherent in mobile devices often
force developers to make certain security trade-offs.
Increased Physical Their small physical size and portability make mobile
Security Risks devices more susceptible to being lost, stolen, or
temporarily misplaced, which exposes both users and
organizations to security risks. If a mobile device or
the data stored on it are not sufficiently protected,
sensitive data can be leaked and the organization’s
network compromised.
Different Permission models differ from platform to platform.
Permission Models Mobile application developers who create applications
for multiple platforms, therefore, must be aware of
and follow OS-specific coding requirements and best
practices for OS-specific applications.
Complicated Similar to other software applications, patches for
Patching Process mobile applications often repair identified security
gaps and coding issues. These patches typically are
deployed through mobile platform vendor markets
such as the Apple App Store and Google Play, but
can be rejected or delayed by the vendor review
processes. The increased time interval for patch
availability often leaves end users exposed.
Security Innovation Inc. 5Common Mobile Risks and Attacks
A
s we mentioned, mobile devices are exposed to many of the same
risks as traditional desktops and servers – as well as mobile-specific
vulnerabilities, attack vectors, and threats. Following are some of the
common risks and attacks that affect the mobile environment:
CLIENT-SIDE IMPROPER STORAGE OF
INJECTION ATTACKS SENSITIVE INFORMATION
Many software application types have The storage of information on a mobile device
transitioned to mobile devices, carrying becomes an issue when the information is stored
related risks along with them. For example: with global read/write/read-write permissions.
• Mobile applications that send SQL requests to If the data is stored as plain text and is not
a backend database server are vulnerable to protected using a strong cryptographic algorithm,
SQL injection attacks similar to those found in there is potential for attackers to gain access to
traditional web-based applications. that data – whether through unauthorized access
• Client-side injections allow an attacker to to the victim’s mobile device (through physical
execute malicious code on the victim’s device device loss, theft, or unsupervised availability);
via the mobile application. through other applications; or through a mobile
• The data entered by the attacker is processed malware repackaged as a harmless mobile
by the mobile application and then parsed by application that steals sensitive information in the
the operating system in a way that indirectly background or executes attacker-controlled code
allows an attacker to run remote or local code on the mobile device.
on the device.
While cryptography is well-suited to protecting
To reduce the risk of mobile injection attacks, data at rest (i.e., stored) or in transit, several
teams should implement the same risk controls challenges arise when implementing
that they implement for desktop and server cryptography on data in-use. There often
applications, such as input validation and are hidden cracks in the cryptography
output encoding. implementation, including improper
implementation. Also, if the data is stored using
a weak encryption algorithm, an attacker can
reverse the encryption in order to gain access to
the sensitive plain text information.
Security Innovation Inc. 6Common Mobile Risks and Attacks
UNINTENDED DATA LEAKAGE CODING RISKS
A mobile operating system can leak sensitive Applications, mobile or otherwise, are vulnerable
information data by means of operating system to attacks associated with their coding language,
crashes, network traffic caches, key presses, including buffer overruns, format string attacks,
copy-paste buffers, or by the way an application and integer overflows. Mobile applications are
logs the information. Data can also be leaked to implemented in many of the same languages
third-party servers over multiple communication as their desktop and web counterparts, and
channels, or by an adversary that has physical therefore are susceptible to many of the same
access to the mobile device. The leakage of vulnerabilities and attacks. For example, Apple
sensitive information could lead to multiple iOS applications can be written using Objective-C,
privacy and compliance violations as well as an object-oriented version of the C programming
reputational damage to the organization. language that is used to code many desktop
applications. Common risks associated with
WEB-BASED ATTACKS implementation languages can be mitigated by
adopting a secure programming discipline that
includes language-specific best practices, skills
Web-based attacks such as Cross-Site Request development, and tools.
Forgery (CSRF), redirection, and phishing –
which require users to click on a malicious
link – are prevalent with mobile browser-based ATTACK ON BINARY CODE
applications. The reason? Mobile browser
limitations, including small mobile screen size, Binary protection techniques help protect a mobile
contribute to a greater chance of success for application’s underlying binary code. Applications
these web-based attacks. On a desktop or server that lack any or sufficient binary protections
system, users can view the links provided and are at significant risk of exposure and access by
actively look for signs of malicious code. But adversaries who may reverse-engineer and/or
smaller mobile screens restrict the user’s ability make unauthorized modifications to the binary
to inspect a link, or notice spelling and grammar code. These modifications – including backdoor
mistakes and other clues that might indicate that coding and the detection and misuse of an
the user is being (or has been) redirected to a application’s hidden coded functionality – can
malicious site. Also, the browser address bar and allow an attacker to gain malicious access to
the URL information contained within it may not information that otherwise was assumed to
be visible to the mobile user. Development teams be stored securely in the binary; to access the
must be aware of these limitations and ensure organization’s systems; or to bypass client-side
that applications incorporate the technical and validations by means of debuggers.
procedural controls required to reduce the risk of
web-based attacks.
Security Innovation Inc. 7Common Mobile Risks and Attacks
INSECURE VULNERABILITIES IN THIRD-PARTY
PLATFORMS CODE AND SERVICES
Both Android and iOS platforms have had Mobile applications can be divided into four
security bugs that allow attackers to gain root general components:
access to the mobile device. With root access, an 1. Application code and libraries
attacker can read or modify all the data – even 2. Application services
data that was secured during the development 3. Third-party code and libraries
process or securely stored on the device. 4. Third-party services
Also, many mobile device platforms supply Vulnerabilities in any of these components create
built-in security services – common functionality risks for mobile applications, development teams,
that allows mobile application development and users. When vulnerabilities are discovered in
teams to save time, focus their efforts on application code, libraries, and services, mobile
implementing the business logic, and get development teams can respond by deploying a
applications to market faster. code fix. The process becomes more complicated
for third-party code, libraries, and services because
Each built-in security service, though, has its own the team may not have the source code or be
strengths and limitations that teams must be capable of fixing the problem.
aware of in order to use it effectively. Apple iOS
devices, for example, feature Keychain Services, Teams can reduce overall risk by developing
which abstract the processes of encrypting a sound overall security patching strategy
and storing sensitive data securely – such as that includes processes for tracking the third-
authentication tokens and personal information. party code and libraries that are used by their
iOS developers can access the Keychain Services applications – as well as associated code and
directly to avoid having to implement their own security updates. Processes also should be
secure data storage code. A user can unlock developed for timely download and integration of
a keychain with a single password, and any updated code and libraries into the organization’s
Keychain Services-aware application can use a applications.
keychain to store and retrieve passwords. But
in a jailbroken scenario, for example where
manufacturer-, developer-, or operator-imposed
restrictions are removed, the integrity of built-in
security facilities such as Keychain Services no
longer can be guaranteed.
Mobile development teams can reduce the
risks of insecure platforms and built-in services
by implementing additional controls such as
password-based encryption in their applications,
especially in situations with high-business impact.
Security Innovation Inc. 8Common Mobile Risks and Attacks
MALWARE an LBS can be considered personally identifiable
information – such as mobile number, home
address, and locations frequented. Users may be
Just like applications that are designed and concerned not only with who owns that data but
implemented for desktop and server systems, also with how that data might be misused, and if
mobile applications contain machine code – a the “owner” can control that data through privacy-
low-level programming language that is executed enhancing technologies (PETs). For example, it
directly by an operating system on a hardware was discovered that Uber, the mobile-enabled
device. As a result, mobile applications similarly are car service company, was keeping track of the
subject to infection and compromise by malicious identities of users who had installed the Uber
software – malware such as spyware, Trojan horse mobile application on their phones – including
programs, worms, and computer viruses. the users’ iPhone device registry details and
Apple-assigned device serial numbers – even
Unlike traditional applications, though, mobile after the application was uninstalled. Enterprise
applications are subject to new infection mediums development and security teams must understand
such as Short Message System (SMS), Bluetooth, security controls and their strengths and
and other mobile-centric communication weaknesses, and implement appropriate security
mechanisms. Malwares such as Pegasus and controls that help maintain user privacy.
Trident silently jailbreak iOS devices and spy on
the victims, collecting information from voice
communications, camera, email, messaging, GPS, DESIGN ATTACKS
passwords, and contact lists. In order to reduce
vulnerability with mobile malware, be sure that Systemic design flaws often allow an application
your teams understand these mobile-specific to be exploited. The attack could be on the mobile
communication technologies – and the techniques application or on the server to which the mobile
attackers use to exploit them. application speaks, on unprotected internal APIs,
alternate routes through and around security
LOCATION SECURITY AND checks, and/or on open server ports. These attacks
PRIVACY ISSUES can force loop conditions and fake their source.
Race conditions* and attacks that take advantage
of time discrepancies (Time of Check/Time of Use)
A location-based service (LBS) uses a mobile are of particular concern in this category.
device’s geographic position to add value for
the user, such as determining the location of *A race condition exists when changes to the order of two
the nearest bank, displaying local weather, or or more events can cause a change in behavior. If the correct
monitoring/tracking children. order of execution is required for the proper functioning of
the program, this is a bug. If an attacker can take advantage
of the situation to insert malicious code, change a filename, or
LBS use, though, raises privacy and security
otherwise interfere with the normal operation of the program,
concerns for the enterprise. Data collected by the race condition is a security vulnerability.2
Security Innovation Inc. 9Data Risks
T
here are many types of data, and “sensitive” data can mean different
things to different organizations. Whether it is personally identifiable
information, proprietary corporate information, or credit card
data, organizations must clearly define data by “type” and provide their
developers with well-defined policies and compliance-based procedures
for protecting all data – sensitive and non-critical – when it is both at rest
(stored) and in transit in the mobile environment.
PROTECTING DATA AT REST
In the traditional office, sensitive data resides on file servers, in email, or in
databases behind a firewall. In today’s mobile environment, mobile devices
often are used to store sensitive data. A mobile user, for instance, can save
email attachments locally on a mobile device and later access that data
offline on an airplane or in another location where Internet access may not
be available.
While the protection of sensitive data is essential regardless of location, the
mobile platform presents unique challenges – and passwords, corporate
data, and personally identifiable information are at risk if not stored properly.
Mobile developers need to understand and assess the risks associated with
data storage and implement sufficient controls to mitigate them based on
their own security policies and compliance requirements. (See Table 2. Mobile
Data Storage Risks and Impacts.)
Security Innovation Inc. 10Data Risks
Table 2. Mobile Data Storage Risks and Impacts
Data Risk Implication
Using an Unsafe Data Sensitive data can be exploited on storage devices that do
Storage Mechanism not have full disk encryption enabled, particularly when
application data is backed up off the device, or if the device
is lost or stolen and in the hands of a malicious user.
Examples include databases and basic mobile file systems.
Storing Data in an Mobile applications typically are isolated from other
Unprotected State applications on the device, meaning they cannot gain
visibility into another application’s resource space (for
example, a mobile application cannot inspect the file
system of another mobile application). This guarantee does
not apply in scenarios where the mobile device has been
jailbroken, or if a malicious user has gained root access
to the device. As a result, mobile application data can be
exposed if not encrypted. Sensitive data that is transferred
from a mobile device and saved on a remote server also is
at risk when not stored in a protected state.
Storing Data on Unprotected Many popular mobile devices support removable micro
Removable Drives Secure Digital (microSD) cards. These external storage
mediums are not encrypted by default. Unfortunately, a
malicious user simply can take the removable drive from
an unattended phone and extract its data. Sensitive data
stored on these drives is at risk if not encrypted.
Storing Data on Shared Mobile devices often have shared data storage such as
Data Storage address books, media galleries, calendars, and more – all of
which are accessible to multiple applications on the device.
When sensitive data is written to shared data storage, it
often is exposed to unauthorized transfer of data and data
leakage risks.
Unsafe Deletion of Decommissioned phones often are a source of serious
Sensitive Data data leaks. Deleted sensitive data still is at risk if it was not
deleted using secure procedures, such as those described
by the National Institute of Standards and Technology
(NIST) Guidelines for Media Sanitization (Special Publication
800-88 Revision 1).3
Security Innovation Inc. 11Data Risks
PROTECTING DATA IN TRANSIT – the transaction, the trusted network goes down,
or perhaps the user walks out of that network’s
SECURE COMMUNICATIONS range and into the range of an untrusted network.
This untrusted network has been configured by
Mobile devices and mobile applications are a malicious user with a Transport Layer Security
unique compared to their desktop and server (TLS) proxy, which records all user data sent, such
counterparts. Because desktops and servers as transaction details and account credentials. If
typically are stationary, the risk of those systems the mobile application has not been designed and
transmitting sensitive data over unsecured implemented to detect these types of risks, highly
wireless networks in the middle of a transaction sensitive data and transactions may be exposed.
is minimal. In mobile scenarios, however, the
risk is significantly higher. The mobility of the Mitigating these risks can be difficult on mobile
user means that the underlying network the devices because of processing and network
device is connected to may change frequently constraints that make cryptography overhead
as the user changes locations. And each network more significant. As a result, when designing
is unique in its security settings, strengths, and developing secure mobile applications,
and limitations. (See Table 3. Common Mobile development teams need to ensure that sensitive
Communications Networks.) data always is transmitted securely and that
communication is protected end-to-end with TLS.
For users of mobile applications that transmit
sensitive data, risk increases when devices
are connected to unsecured or untrusted
networks. Consider an example of a mobile
user accessing bank account information. At
the beginning of the transaction, the user is
connected through a trusted network. During
Security Innovation Inc. 12Data Risks
Table 3. Common Mobile Communications Networks
Network Overview
Wi-Fi Networks Most mobile devices can connect to TCP/IP-based wireless
networks. Although modern wireless networks provide protection
such as Wi-Fi Protected Access (WPA2), the scope of this
protection is valid only for that particular network. Once data is
routed outside of that network, there are no guarantees that the
data will remain protected, and it may be exposed to interception
or modification by malicious users.
GSM, 3G, and 4G Networks Cellular networks – such as Global System for Mobile
Communications (GSM), third generation (3G), and fourth
generation (4G) – frequently are used for packet transmission.
Although several of these standards include protection for data
transmission, many have been broken or are insufficient. For
example, the 3G standard utilizes the KASUMI block cipher to
protect data, which has several weaknesses.
Bluetooth Networks While packet data can be transferred across Bluetooth networks
in close proximity, it’s important to be aware of the many reported
vulnerabilities relating to this protocol. These include malware
and viruses that use Bluetooth to replicate and spread among
mobile devices, and poor implementations of Bluetooth security
that lead to data leaks and eavesdropping.4 Bluesnarfing, a device
hack, enables the attacker to steal sensitive information from a
device with a Bluetooth connection.5
SMS and MMS Short message service (SMS) and multimedia messaging service
(MMS) are used to send short text messages and multimedia
content, respectively. Both suffer from numerous data-protection
vulnerabilities and should not be used to transfer highly sensitive
data. The latest draft of the Digital Identity Guidelines issued
by NIST (Special Publication 800-63-3).6 recently acknowledged
the risk of SMS messages being intercepted and encouraged
adoption of other alternative authenticators for two-factor
authentication. Other vulnerabilities include weak encryption and
SMS spoofing.
Security Innovation Inc. 133 Ways to Optimize Your Mobile
Application Security Program
A
Ponemon Institute study indicates that proprietary business
applications may be at a higher risk of attack than consumer
applications.7 This often is the result of internal rush-to-release
pressures on developers, and a lack of clear security requirements, QA, and
testing procedures.
Mobile application development teams cannot mitigate security risk through
application code alone. As we’ve discussed, other factors including mobile-
specific challenges – such as physical risk and platform vulnerabilities –
also impact mobile security. Teams can reduce risks by following a secure
programming discipline that is specific to the mobile platform and that
describes mobile secure development best practices, tools, testing, libraries
and role-based activities.
Organizations can implement and/or optimize a secure programming
discipline by incorporating the following three core components into an
overall mobile application security program:
1 POLICIES, STANDARDS, AND PROCEDURES
Documented policies, standards, and procedures for mobile application
development provide a set of guiding principles to ensure that team
members understand the organization’s expectations for mobile security and
know how to develop to those expectations, including ”building in” security
throughout the development life cycle. The following activities are central to
the development of a strong security discipline within your organization:
• Create an Application Security Policy and Standards document that
describes your organization’s high-level security policy – the mandatory
requirements for developing secure mobile applications. Standards define
the system- or procedure-specific process and/or rules that support the
policy, such as the organization’s accepted way to adhere to policy and how
to carry out specific security-centric operations.
• Define secure coding standards to help developers avoid the most
common mobile application vulnerabilities and provide a framework for
conducting a security code review. Each mobile platform (e.g., iOS, Android,
Blackberry) has unique security vulnerabilities. It is critical, therefore, to
establish operating system- and language-specific standards and guidance
to ensure that teams know how to navigate the nuances of each and
implement security that addresses these risks effectively.
Security Innovation Inc. 143 Ways to Optimize Your Mobile Application Security Program
Follow industry-based secure programming SECURITY ENGINEERING
processes and standards such as the 2
OWASP8 Mobile Top Ten9 and SEI CERT Coding ACTIVITIES
Standards.10 These frequently updated resources
provide developers with valuable information Security engineering does not require that you
for building and maintaining secure mobile change your existing application development
applications, and often include strict security process, just augment it with a set of high-impact
requirements that apply to mobile application security activities. Core security engineering
scenarios. Development teams should follow any activities easily and logically can be layered into
relevant standards to reduce mobile security risk a normal software development process at the
and potential exploitation. appropriate times (See Table 4: Security Engineering
Activities for the Application Development Life Cycle).
Define relevant governance and compliance For instance, when you determine your functional
drivers, for instance, mobile applications that requirements, you also would determine your
accept credit card data must meet the Payment security objectives; when you apply design best
Card Industry Data Security Standard (PCI DSS) practices, you would apply security design best
requirements. Identify sensitive data elements, practices, etc. Table 5 provides more details on
such as personally identifiable information (PII) effective security engineering activities.
or credit card data, and define the appropriate
standard levels of protection for each.
Table 4. Security Engineering Activities for
the Application Development Life Cycle
CORE SECURITY
Planning
Requirements and Analysis Functional Requirements Security Objectives
Non-Functional Requirements
Technology Requirements
Architecture and Design Design Guidelines Design Guidelines for Security Threat Modeling
Architecture and Design Review Architecture and Design Review for Security
Development Unit Tests Code Review for Security
Code Review
Daily Builds
Testing Integration Testing Security Testing
System Testing
Deployment Deployment Review Deployment Review for Security
Maintenance
[Source: Microsoft Patterns & Practices]
Security Innovation Inc. 153 Ways to Optimize Your Mobile Application Security Program
Table 5. Security Engineering Activities Defined
Activity Overview
Identify Security If you don’t know the security considerations up front, it is difficult
Objectives to be successful with later-stage activities
Apply Security The adoption of proven design principles reduces the application’s
Design Guidelines attack surface and ensures applications are secure from the start
Conduct Security Vulnerabilities introduced in the design phase are the most
Architecture and expensive to fix, so it is critical to identify and fix security problems
Design Reviews that have a multiplier effect in later phases.
Create Threat Models Secure applications start with understanding key threats. Threat
modeling helps teams focus on the most critical threats at each
phase by choosing security design components and coding
defensively to mitigate that risk; and devising test plans that focus
on high-risk areas.
Perform Security Implementation vulnerabilities are the most common. Manual
Code Reviews and inspections and test techniques that are executed manually can
Penetration Testing uncover compound, business logic, and other critical vulnerabilities
that elude tools. Rework can be saved and can help avoid costly
exploitations.
Conduct Security Security deployment reviews help to ensure that configuration and
Deployment Reviews deployment problems are discovered before an application is in
production. Even an effective application security process can be
undone by a configuration error during deployment.
For each mobile application, development teams must understand the
associated application and data risks and make sure that engineering
activities correspond appropriately, as described in Table 6. Security
Engineering Activities Based on Application Type. A new or mission-critical
application (See Mobile App A column) may warrant a heavier security analysis
such as threat modeling, code review, and penetration testing by both
internal and external teams. A legacy application (See Mobile App B column)
may only require regular penetration testing and deployment reviews. A
low-risk application (See Mobile App C column) that doesn’t handle sensitive
data may require a design review and static application security testing
(SAST)/dynamic application security testing (DAST) scans.
Security Innovation Inc. 163 Ways to Optimize Your Mobile Application Security Program
Table 6. Security Engineering Activities Based on Application Type
Mobile App A Mobile App B Mobile App C
(New/Mission-Critical) (Legacy) (Low-Risk)
Define Security Objectives X X
Apply Security Design Guidelines X X
Threat Model X
Security Architecture and Design Review X X
Apply Security Implementation Guidelines X
SAST/DAST Scan X X
Security Code Review X
Security Penetration Testing X X X
Apply Security Deployment Guidelines X
Security Deployment Review X
3rd-Party Security Penetration Test X
SECURITY EDUCATION Role-based training, in particular, ensures that
3
all team members have the knowledge and
AND TRAINING specialized skills to implement security activities
properly according to their specific role and the
To build secure software, application mobile platform(s):
development teams must know what to do and
how to do it. And they must understand what • Executives and Managers need to understand
they are up against including mobile-specific the unique threats to the mobile platform.
idiosyncrasies, challenges, attacks, the unique To ensure the design of secure applications
syntax of each mobile language, as well as mobile from the start, they should provide their
platform security features that can help reduce development teams with the necessary
the overall cost of developing secure mobile tools, training, and resources.
applications. • Architects need to be able to choose
secure mobile components, frameworks,
Security education and training are critical communications, databases, and other
to building and reinforcing the team’s overall architectural elements to serve as a blueprint
knowledge and skills for implementing the for developers.
organization’s security policies, procedures, • Developers need to understand how to
standards and security engineering activities for code securely to avoid mobile-specific
application development across the multiple vulnerabilities, and how to fix security
mobile platforms. defects found in their code.
Security Innovation Inc. 173 Ways to Optimize Your Mobile Application Security Program
• Testers need to understand how mobile Training should be done over time, and paired
applications are attacked and how with specific hands-on activities (“learn by doing”)
vulnerabilities are exploited in their deployed so that teams have a chance to absorb and apply
environment. They need to have skills to the material. Build your plan and break it into
test applications running on different mobile manageable and digestible chunks. Also consider
operating systems and the tools required to implementing security champions and other
test risks associated with each system. leadership roles, and ensure that their skill levels
are more advanced than the rest of the team.
A formal training plan doesn’t mean a rigorous
or bureaucratic system, but rather supports the Table 7 shows an example of a role-based training
entire development team in helping them gain curriculum. While the courses and roles would vary
the knowledge they need to build, deploy, and for each organization, it is a good framework to help
maintain secure mobile applications consistently. you grasp the minimum skill levels needed and tie
The benefits of a formal training plan cannot them into a long-term skills development initiative.
be understated.
Table 7. An Example of a Role-Based Training Curriculum
Role Core Intermediate Advanced
Fundamentals of Secure How to Create Security
Scrum Master
Mobile Development Requirements
Fundamentals of Secure
Product Owner
Mobile Development
Fundamentals of Secure Architecture Risk Analysis Creating an Application
Architect
Mobile Development and Remediation Security Threat Model
Fundamentals of Secure Creating Secure Code How to Perform a Security
iOS Developer
Mobile Development in Objective-C and Swift Code Review
Fundamentals of Secure Creating Secure Code How to Perform a Security
Android Developer
Mobile Development in Java and Kotlin Code Review
Fundamentals of Secure Classes of Security Advanced Software Security
Tester/QA
Mobile Development Defects Testing – Tools and Techniques
Security Innovation Inc. 18Conclusion
R
egardless of platform, application development teams are under
increasing pressure to deliver applications that are functional and
intuitive – while facing market pressures of cost and timing.
Understanding the mobile-specific risks, attack types, and distinct
communications is a critical step for these teams toward building effective
security consistently into the mobile applications.
A heightened organizational awareness of mobile-specific security
translates to the implementation of more formal and optimized application
development security programs that support mobile development teams
with the essential tools, training, and resources they need to design and
implement more secure mobile applications.
Only then can organizations truly embrace the significant benefits of the
mobile platform.
Security Innovation Inc. 19How Security Innovation
Can Help
Driven by our Mobile Center of Excellence that conducts ongoing research
on popular mobile platforms, technologies, and hardware components,
Security Innovation offers solutions to help organizations assess risk and
improve mobile security from multiple perspectives – external attackers,
malicious internal users, and even well-intentioned employees.
MOBILE APPLICATION For each identified vulnerability, we assign a risk
rating specific to your environment, describe
SECURITY TRAINING the business impact, and provide prescriptive
remediation guidance (including code samples) for
Our curriculum covers all major roles, your specific mobile platform and language.
technologies, and platforms and is comprised of
200+ computer-based and instructor-led MOBILE APPLICATION CYBER RANGE
training courses. Popular mobile courses cover
the fundamentals of mobile development,
and creating secure code in various languages Runstoppable is an insecure Fitness App that
including Objective-C/Swift (iOS) and Java/Kotlin challenges players to use a real phone or an
(Android). emulator to solve client- and server-side
challenges. It's the most hands-on way to build
mobile application security skills.
MOBILE APPLICATION
SECURITY ASSESSMENTS SECURE SOFTWARE DEVELOPMENT
For more than a decade, organizations have LIFE CYCLE OPTIMIZATION
relied on our engineers to conduct detailed
analysis and complex attacks on software,
devices, and back-end systems with the same This service analyzes your existing Software
level of sophistication and determination Development Life Cycle (SDLC) against industry-
that an attacker would. Our assessment based secure programming processes and
solutions include: standards: OWASP Mobile Top Ten, International
• Threat modeling to identify risks, cover Organization for Standardization (ISO), NIST,
multiple abuse cases, and guide test planning and PCI DSS. The output is a roadmap that fills
• Security code reviews to find programming gaps with proper training, activities, and tools
mistakes that elude scanners usage to ensure secure and repeatable mobile
• Penetration testing to conduct operating application development.
system- and application-level attacks to unearth
deeply rooted vulnerabilities
Security Innovation Inc. 20Resources
1
Ponemon Institute. The State of Mobile Application Security.
2
Apple. Secure Coding Guide.
3
NIST. Special Publication 800-88, Revision 1: Guidelines for Media Sanitization.
February 5, 2015.
4
Wikipedia. Bluetooth: History of Security Concerns.
5
Finjan Mobile. Blog. What Is Bluesnarfing? March 13, 2017.
6
NIST. Digital Identity Guidelines. June 22, 2017.
7
Ponemon Institute. The State of Mobile Application Security.
8
OWASP. Mobile Security Project.
9
Security Innovation. Blog. 2016 OWASP Mobile Top 10 Risks vs. OWASP Mobile
2014 RC. Dinesh Shetty. November 30, 2016.
10
CERT. SEI CERT Coding Standards. Sandy Shrum. August 21, 2017.
Security Innovation Inc. 21ABOUT SECURITY INNOVATION Since 2002, Security Innovation has been the trusted partner for cybersecurity risk analysis and mitigation for the world’s leading companies, including Microsoft, Sony, GM, Disney, Google, and Dell. Recognized as a Leader in the Gartner Magic Quadrant for Security Awareness Computer-Based Training for the third year in a row, Security Innovation is dedicated to securing and protecting sensitive data in the most challenging environments – automobiles, desktops, web applications, mobile devices, and in the cloud. Security Innovation is privately held and headquartered in Wilmington, MA USA. For more information, visit us at www.securityinnovation.com.
You can also read
