There's an Insecure App for That

Mobile phones now have an application for almost everything, and experts say many of those apps leave the same basic security holes wide open. Here are five tips for building secure mobile applications.

The Apple iPhone "app for that" commercials have become so ingrained in pop culture that it's a running joke, a catch line among many folks. There is even a website that parodies the ad campaign. But, it's true, these days, whether you want to use Facebook and Twitter, bank online, or find the nearest Thai restaurant, you can find an application to help you get it done.

Also see The Top 5 Stupid Things People Do With Mobile Phones

Clark said the impetus for the book was the abundance of mistakes he and his colleagues witnessed when consulting with clients about mobile applications; mistakes that lead to valuable data being exposed to attackers, and many mobile web applications were susceptible to common attacks such as Cross-Site Scripting or SQL Injection.

Here Clark offers five simple application security tips for developers, and for IT folks who deploy mobile applications in the enterprise.

Tip 1: Don't forget basic security practices when it comes to mobile applications

Clark says while this might sound basic and obvious, it is painfully lacking in the development community when it comes specifically to mobile applications. "I don't know if it's psychological or what, but people say "Oh, it's mobile' and just forget about security," said Clark. "I've seen many experienced development shops that tend to forget everything they know when they start to develop mobile applications"

So many enterprises develop mobile applications that are an extension of a business application that is already being used in the organization. The same security concerns apply, and then some, said Clark.

Tip 2: Consider the unique risks of mobile devices

"One of the risks developers don't think about is simply the mobile form factor and the risks that come with it,' said Clark. "Mobile devices are more easily lost or stolen than a computer.

Since mobile devices are more likely to go missing, mobile applications should be built with that in mind. The application should use the device's encryption functionality to protect data at rest.

Tip 3: Don't allow sharing of authentication information between sites

Clark said studies have shown that entering a secure password on a mobile device takes 31 key presses, as opposed to just 12 on a computer keyboard. The point is: Mobile passwords are notoriously insecure. If users use the same password on both mobile and main applications, and it is cracked on the mobile device, that means the password for the main application is also revealed.

"Don't degrade your overall authentication mechanism by sharing credentials between main and mobile," said Clark.

The most successful and secure mobile applications are ones that do NOT implement all of the functionality of the main application into the mobile version, said Clark. Using a bank as an example, the popular functions of money transfers or bill pay abilities can still be used in the mobile app, but with limitations.

"If you think about some way someone might try to exploit that, it would be add a new bill pay or add a new account and transfer money into it. If the mobile application is developed so that the user can't add new money recipients or payees, this prevents any hacker from doing much damage to the account because they can't take advantage of the full functionality of the banking application."

Tip 4: Don't expose line of business applications to your mobile workforce without the proper security in place.

As mentioned above, so many organizations now are rolling out mobile extensions of already in-use business applications so that road warriors can have access to them from anywhere. As a result, and in their haste, many organizations take line-of-business applications that were originally engineered to intranet standards and expose them on the internet.

"They will often put some kind of middleware translation layer in front of them," said Clark. "Basically something that presents a web interface to the mainframe. Then it's put online so can be accessed by mobile devices. But they are not internet hardened and it's dangerous. We've found some really nasty bugs when people have done that."

Instead, security needs to be considered before placing a mobile translation layer in front of legacy applications and exposing them to the internet.

Tip 5: Take advantage of the security features that are available in each device when writing native apps

When developing native applications, developers have to write in Objective C for iPhones and Java for Blackberry. Clark recommends that instead of taking a one-size-fits-all mentality, each application should be written with the specific device in mind.

"Each device has its own operating system and its own set of rules," said Clark. "But people don't seem to know yet how to build applications that take advantage of each platforms security features."

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful cybersecurity companies