14 Mar, 2018

Why Mobile Application Security?

by David Lindner

In an era of constant, persistent connectivity, our relationships are becoming increasingly managed by instant communication channels, powered by mobile technologies. There are now more cellular subscriptions than there are people in the world and an estimated 10 billion mobile connected devices in use. The demarcation between business and personal time is no longer clear. We can use FaceTime, Slack, or have a GoToMeeting with clients on our smartphones, all while taking notes, sending emails, and even perhaps playing a little Trivia Crack on the side. We still love to go on vacations, yet, we still want to remain reachable during our downtime. Since carrying a laptop to the beach is a bit of a pain, we can just throw an iPad or Pixel C device into our beach bag. Our circles, both personal and professional, can now see the stunning backdrop with aquamarine water, sun-drenched sand, or a colorful, tall drink embellished by exotic fruits and a paper umbrella – all thanks to Instagram. Mobile technology enables us to respond from wherever we are, no matter what other things we may be doing. By having this latitude, we are forced into being connected, available, and productive in both our personal and business lives.

We now carry a singular, small, smart device that provides us with constant connectivity, allowing us to be tethered to our businesses and personal lives, on-demand. But mixing business with pleasure not only raises privacy concerns, it opens our business networks to new threats. We have hundreds of mobile applications, of both business and personal nature, which are commingled on our devices. In some cases, they share, replicate, and backup data. This forces us into a tenuous balancing act of having to secure our business data and networks from these smart devices, and also to provide our employees with the flexibility to do their work from anywhere, at any time.

With the gifts technology brings comes the responsibility to ensure that these devices and applications are used safely. By in large, most consumers aren’t aware of the clear and present dangers. To wit, 28% of mobile device users do not use the built-in password or device protections, yet, 80% of people use their smartphones to shop. A user’s sensitive data is stored in a myriad of locations within installed applications such as: in device memory, on the file system, numerous caches, and other built-in mechanisms like autocomplete or pasteboard. Furthermore, users can be tracked through GPS locations that the device may be tracking in contacts, images, map searches, etc. As such, a stolen or pre-owned device can include more than enough data to steal a person’s identity.

Now it’s time to enter the world of mobile application security. I started my foray at a very small boutique consulting firm specializing in application security, as an Application Security Engineer in 2008. At that time, Apple was getting ready to release their second iPhone, the 3G. Google’s first commercially available handset was to be released shortly thereafter. Along with the iPhone 3G, Apple also unveiled their “AppStore” to the world. Although Blackberry had a stronghold on the business market, Apple and Google had other plans. Even back then, I foresaw the critical need to migrate existing application security practices into the mobile world, given the release of the Apple AppStore and the flurry of applications it added to the global market. It took a couple of years for Apple and Google to establish trust with the business world, and by 2010, it was clear that establishing mobile application security expertise to serve our clientele’s needs was required. Just a mere 7-10 years ago, mobile application security was a foreign concept and most clients had not given thought to leave their Blackberry worlds, but I saw the writing on the wall. I decided it was time to start researching and pursuing mobile application security.

From the early days of mobile, I wanted to be involved in creating security practices, evangelizing the need for security with developers and contributing my expertise to both the technical and business sides of the house. The Open Web Application Security Project (OWASP) was a great place to help create application security standards to meet the new world order. A small group of us got together on a grassroots basis and drafted the ”Top Ten Risks of Mobile Security” and “Top Ten Controls of Mobile Security.“ We quickly determined that most of the threats and controls had to be focused on the data an application or organization may allow, store, or send to and from these devices. Once these top ten lists were drafted, I moved on to serve as an early reviewer of the “OWASP Mobile Testing Guide.” The Top Ten and Testing Guide have evolved greatly since then, but we had to start somewhere!

As an application security practitioner, it is vitally important for me to ensure that businesses and individuals understand the security considerations and the ramifications if they aren’t apparent: The mobile world has evolved into “the internet of things,” or IoT, and I am delighted to be part of this rapidly evolving world with nVisium.

I brought my skills and leadership to nVisium back in late 2015 because I believed in the strength of the organization, and the commitment to client’s and their application security needs. A lot of what we do is “break” current architectures to bypass built-in security controls or to expose missing security controls; however, we also help developers and clients understood the root causes and how to fix them. As an example, we were able to successfully bypass authentication and authorization controls to anonymously transfer money from one bank account to another. In another mobile assessment, we were able to successfully perform runtime manipulation and memory analysis of the mobile application to not only find and change the current logged in user’s password but also bypass the TouchID authentication mechanism.

As experts in the fields of mobile application security, nVisium draws upon its combined decades of engineering and security experience to produce practical, scalable and repeatable services that help keep our clients’ software secure and businesses safe. We can integrate into your team’s existing development processes and workflows to help build a more robust security program.