According to a recent survey, 90 percent of U.S. and UK IT managers said they are planning to implement new mobile applications this year, with half saying that successfully managing mobile applications tops their priority list. The same survey also revealed that 21 percent plan introduce 20 or more mobile applications into their organization in 2011. Challenged to implement enterprise-wide application security policies, CIOs and CISOs are realizing they have significantly lower visibility, expertise and control over mobile apps and devices compared to other layers of their IT infrastructure.
“While much has been done in terms of setting standards for the security of web applications, we felt it was necessary to extend the same rigorous framework to mobile,” said Chris Wysopal, CTO, Veracode. “In the mobile app market, we see both inadvertent coding errors and intentional, malicious code as security culprits.”
In addition to announcing new mobile application verification services, the company also announced, and is pushing, a “Mobile App Top 10 List” with the goal of serving as an industry standard for categorizing malicious functionalities and as a checklist of vulnerabilities that developers and security teams can utilize to determine what mobile app risks exist and how they can be mitigated. While traditional security vulnerabilities can be compounded by mobile use case specifics and new, platform-particular challenges, the same best practices established in other environments should be adhered to, Veracode says.
Veracode compares its Mobile App Top 10 to the likes of the OWASP Top 10 or CWE/SANS Top 25, which are used for verifying traditional, third-party applications. At the very least, it can serve as a foundation for understanding specific threats such as activity monitoring and data retrieval; unauthorized dialing, SMS and payments; system modification; and sensitive data leakage, which can be magnified in a mobile environment.
Secure coding, security testing and basic security precautions may often be an afterthought in today’s rapid mobile app development process, as evidenced, in-part, by the lack of encrypting bank account access codes in Citbank’s iPhone app last year. The mobile app malware threat is also quickly progressing from simple “premium SMS and call” attacks that directly monetize by running up the victims bill, to full- blown mobile botnet functionality, such as the recently discovered Geinimi Trojan for Android phones.
“In a rush to accommodate mobile support to existing web applications developers are introducing vulnerabilities into already stable applications,” according to Noa Bar-Yosef, a Senior Security Strategist at Imperva and SecurityWeek contributor. “From the classic SQL injection and Cross Site Scripting vulnerabilities to ones that are more mobile specific. One common type of mistake is relying on message content, automatically introduced by the mobile device, for authentication and identification, while in reality such information can be easily forged,” Bar-Yosef writes.
Enterprises are threatened by applications built in-house, off-the-shelf, outsourced and with third-party components that are deployed via the cloud, web and on mobile platforms. To manage this mounting, and what appears to be uncontrollable, risk CIOs and CISOs must implement policy-driven application risk management programs and seek independent security verification of all their applications including mobile applications from all their stakeholders across their entire software supply chain.
“CIOs and CISOs are increasingly aware that next generation software infrastructure for their enterprise is increasingly ‘cloud-sourced’ and developed from unknown or untrusted third-party app stores and developers,” said Matt Moynahan, CEO, Veracode. “While the cost and functional benefits of embracing the cloud are many, it is critical to ensure the security risks associated with this model are controlled.”
Technical Reading: Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms