Your mobile device is a treasure chest of valuable information for criminals…
Mobile computing is quickly changing the way we live and interact with the world around us. While being connected to the world at all times makes us more efficient and productive in society, there are many security and privacy issues to take into consideration.
The threat model for mobile devices differs significantly from their larger desktop and laptop counterparts. They travel everywhere with us, they are turned on at all times, and we use them to access a multitude of services. We have a much better chance at losing an iPhone than a 27 inch iMac desktop computer. Our smartphones contain all of our contacts, constant access to several email accounts, our social networks, our banks, corporate networks, and much more. Your mobile devices know where you have been, who you were there with, and what you did with them. Your mobile device is a treasure chest of valuable information for criminals and others with less than honorable intentions. Often, a vulnerability in a single application can lead to a compromise of many services where there may be password reuse by a user or leaked Single Sign On (SSO) credentials. A single piece of malicious software can extract everything about your life and potentially allow an attacker to pivot into your enterprise’s network. This is bad.
As more companies move into the mobile space, we continue to see trends indicating that we have taken several steps backwards from a security perspective. From both privacy and security perspectives, this is frightening. In application security, we have cultivated a list of best practices over the years, many of which have been adopted as formal standards. These include storing sensitive information encrypted, leveraging SSL for data in transit, and following the principles of least-privilege access. We have not seen many of these best practices and “easy wins” replicated within the mobile application space. As the “easy” issues are being neglected, we are simply not preparing ourselves to tackle the security challenges of more exotic mobile technologies and use cases that are being developed.
In many cases, security is being neglected as a result of racing new products to market to gain a competitive edge. The difference between being first to market and finishing in second place can mean the world to a company. At the same time, building your house out of straw instead of bricks will eventually come back to haunt you. While balancing security requirements with usability is a constant juggling act that one must endure, organizations built for long-term success understand and embrace these challenges.
The harsh reality is that before we can get better, things will probably get much worse. We have only scratched the surface of what is possible in mobile computing. There will surely be many new risks and security obstacles to overcome in the next few years. With technologies such as Near Field Communications (NFC) set to become integrated with virtually everything around us, these risks to businesses and organizations will become much more visible and widely exploited.
I encourage any individuals, government organizations, or companies developing mobile applications to pay close attention to how secure their applications are and how well they are protecting the data for their users. Security extends far beyond the mobile device itself; your infrastructure is vital to a secure mobile architecture as well, even if you do not host your own physical servers. A serious security breach could place a huge financial and resource burden on your organization. More importantly though, you owe it to your customers and users to do your absolute best to protect their privacy and personal information.
About Jack Mannino
Jack Mannino is the CEO of nVisium Security, a leading provider of mobile application and web application security services. At nVisium he is responsible for ensuring that all services are delivered at the highest levels of quality and with keen attention to detail. nVisium’s offerings include security source code reviews, penetration testing, remediation services, threat modeling, and developer training. He focuses on mobile application security research (especially Android), and is the co-leader of the OWASP Mobile Security Project. In addition to the Mobile Security Project, Jack is also heavily involved with the OWASP Northern Virginia Chapter where he serves as a member of the chapter’s board.