Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Veracode Expands Mobile App Verification Service to Android and iOS

According to a recent survey, 90 percent of U.S. and UK IT managers said they are planning to implement new mobile applications this year, with half saying that successfully managing mobile applications tops their priority list.

According to a recent survey, 90 percent of U.S. and UK IT managers said they are planning to implement new mobile applications this year, with half saying that successfully managing mobile applications tops their priority list. The same survey also revealed that 21 percent plan introduce 20 or more mobile applications into their organization in 2011. Challenged to implement enterprise-wide application security policies, CIOs and CISOs are realizing they have significantly lower visibility, expertise and control over mobile apps and devices compared to other layers of their IT infrastructure.

Veracode LogoTo help mitigate these emerging mobile threats, Veracode, Inc., a provider of cloud-based application risk management services, today expanded its verification service for mobile applications. The company currently provides application security verification for RIM’s BlackBerry and Windows Mobile operating systems. Support is now coming for Google’s Android OS which will be available this quarter, and support for Apple’s iOS coming in Q2 ’11. During the beta period, Veracode is accepting all mobile app submissions, regardless of platform, for security free verification.

“While much has been done in terms of setting standards for the security of web applications, we felt it was necessary to extend the same rigorous framework to mobile,” said Chris Wysopal, CTO, Veracode. “In the mobile app market, we see both inadvertent coding errors and intentional, malicious code as security culprits.”

In addition to announcing new mobile application verification services, the company also announced, and is pushing, a “Mobile App Top 10 List” with the goal of serving as an industry standard for categorizing malicious functionalities and as a checklist of vulnerabilities that developers and security teams can utilize to determine what mobile app risks exist and how they can be mitigated. While traditional security vulnerabilities can be compounded by mobile use case specifics and new, platform-particular challenges, the same best practices established in other environments should be adhered to, Veracode says.

Veracode compares its Mobile App Top 10 to the likes of the OWASP Top 10 or CWE/SANS Top 25, which are used for verifying traditional, third-party applications. At the very least, it can serve as a foundation for understanding specific threats such as activity monitoring and data retrieval; unauthorized dialing, SMS and payments; system modification; and sensitive data leakage, which can be magnified in a mobile environment.

Secure coding, security testing and basic security precautions may often be an afterthought in today’s rapid mobile app development process, as evidenced, in-part, by the lack of encrypting bank account access codes in Citbank’s iPhone app last year. The mobile app malware threat is also quickly progressing from simple “premium SMS and call” attacks that directly monetize by running up the victims bill, to full- blown mobile botnet functionality, such as the recently discovered Geinimi Trojan for Android phones.

“In a rush to accommodate mobile support to existing web applications developers are introducing vulnerabilities into already stable applications,” according to Noa Bar-Yosef, a Senior Security Strategist at Imperva and SecurityWeek contributor. “From the classic SQL injection and Cross Site Scripting vulnerabilities to ones that are more mobile specific. One common type of mistake is relying on message content, automatically introduced by the mobile device, for authentication and identification, while in reality such information can be easily forged,” Bar-Yosef writes.

Enterprises are threatened by applications built in-house, off-the-shelf, outsourced and with third-party components that are deployed via the cloud, web and on mobile platforms. To manage this mounting, and what appears to be uncontrollable, risk CIOs and CISOs must implement policy-driven application risk management programs and seek independent security verification of all their applications including mobile applications from all their stakeholders across their entire software supply chain.

“CIOs and CISOs are increasingly aware that next generation software infrastructure for their enterprise is increasingly ‘cloud-sourced’ and developed from unknown or untrusted third-party app stores and developers,” said Matt Moynahan, CEO, Veracode. “While the cost and functional benefits of embracing the cloud are many, it is critical to ensure the security risks associated with this model are controlled.”

Advertisement. Scroll to continue reading.

Technical Reading: Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms

Read More in SecurityWeek’s Mobile & Wireless Section

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Training & Awareness

Google has announced a new training program for cybersecurity analysts and those who graduate will get a professional certificate from Google.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.