Posted by Luke Arntson on September 7, 2017
Modern mobile device users often have their devices tightly integrated into daily life. From banking apps to social media feeds, these applications are high visibility targets for hackers and thieves looking to exploit weaknesses or hijack vulnerabilities. By ramping up mobile app security, vendors ensure the safety and security of their users and their infrastructure.
The latest high-profile mobile threat is the BroadPwn attack. This threat targets the Broadcom chipset used in many popular mobile devices. BroadPwn takes advantage of low-level communications combined with flaws in the Android platform. Thus, allowing a malicious payload to travel from one phone to the next virtually undetected. Fuzz testing tools are an ideal method of detecting this type of flaw.
Another recently discovered vulnerability is the Dirty Cow exploit. It is used to obtain system-level access on the Android platform. Using a known Linux kernel exploit (CVE-2016-5195), Android malware installed Trojans and backdoors onto mobile platforms. Thus, stealing sensitive user data and attacking installed application storage.
These vulnerabilities often take advantage of a mobile application’s weakest link: the operating system. Malware can watch the user’s screen and send snapshots of visible input fields. It can also read files normally reserved for the system to gather unprotected databases and certificates.
Once an operating system has been compromised, the application memory and data are no longer safe. They can be read without proper encryption. Root detection is often used as a stop-gap to prevent applications from launching in a hostile environment. However, this doesn’t protect data stored on the system or in memory.
Dedicated attackers often patch root detection and circumvent various security measures used to prevent a mobile application from detecting security changes. Mobile application security must incorporate protections that assume the operating system is not the only security measure preventing an attacker from stealing passwords or gathering credit cards.
Let’s explore three ways to avoid such vulnerabilities and potential attacks:
Developers can no longer depend on a secure, isolated environment when creating a mobile application. With today’s attacks targeting the operating system and underlying hardware inside of the platform, organizations must plan to create applications that protect not only from static analysis but also active attacks on the platform and network. Creating an application that can withstand these attacks requires several key factors:
By following these key factors, today’s mobile application platforms stand a much better chance of protecting both the customers and vendors.
The most challenging component of mobile application security is ensuring that guidelines are followed throughout the software development life cycle (SDLC). This requires diligence from the entire project team. Every member is responsible for ensuring they are following security best practices.
During the planning phase of the project, all members of the platform must be involved in actively integrating security into the platform. It’s important to have a head of security within the team to ensure everyone incorporates security into the design. When designing and developing the application, it’s also important to ensure that developers are practicing secure coding. Through training and tool assisted development, you can ensure developers don’t compile vulnerable code into the application.
Oftentimes companies with a separate quality assurance (QA) team leave penetration and security testing until after the implementation and verification phases of the SDLC. This results in testing at the end of the product’s life cycle. This also often corresponds to release dates and team commitments. Plan ahead. Integrate assessments and penetration tests of the mobile application platform during implementation and verification phases. This ensures the team isn’t rushing to fix issues in the eleventh hour before the delivery date.
It is also important to have security monitoring systems in place to monitor for attacks and breaches within the platform. Guidelines should be prepared in case a vulnerability is discovered in the platform itself. For example, a public exploit for a library or a vulnerable version of a web server. This requires a stringent guideline for:
Creating a mobile application platform has many risks, but the marketplace is thriving. In 2016, Apple had over 140 billion cumulative software downloads, making it one of the most successful software platforms in history. By integrating the key factors for security into the SDLC, mobile application platforms can not only protect themselves from hackers and thieves, but they can thrive in today’s market. By proactively integrating security into the entire process, a mobile application team can greatly decrease risk while maximizing reward.
Ramping up mobile application security by tightly integrating security into the SDLC doesn’t only ensure protection for the vendors. It also increases reputation and maximizes profits from the mobile marketplace.
Get the latest Software Integrity news, thought leadership, and more.