• United States



Securing Mobile Data at the Application Layer

Oct 23, 20114 mins
Business ContinuityData and Information Security

Cross-posted from the McAfee Security Connected blog  

Most mobile device applications have serious security vulnerabilities.

These flaws include the storage and transmission of unencrypted data, poor session handling, and data leakage. McAfee addresses many of the management and compliance challenges through its Mobile Security Strategy.

The Open Web Application Security Project (OWASP) Mobile Security Project focuses on the security of the applications that enrich the mobile device user experience. According to its contributors, it “is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.”Following in the theme of the OWASP Top 10 web application risks, the project focuses on the top ten mobile risks. This series will launch with a discussion of risk number one – Insecure Data Storage. The controls recommend to mitigate these risks include encryption, data classification, session management, and data leakage.Gartner’s analysis of upcoming mobile application trends highlights the need for a rigorous Secure Software Development Lifecycle (SSDLC). These include financial applications, location-based services, and mobile health monitoring.

Data Classification

OWASP recommends that processing, storage and transmission of data should be consistent with its classification. Developers should consider data sensitivity when creating data models from which information will be queried and processed.

They should also communicate with business stakeholders to identify the stages where data classification changes. The University of Florida has composed a mobile device data classification policy covering OWASP’s recommendations.

Access Control

The increased usage of mobile devices to access financial content, such as online banking and credit card management sites, makes a compelling case for strong access controls. According to a study performed by Stephen Perlson and Reinhardt Botha, there are three key security services that developers should address.

  • Authentication – the application must confirm the claimed identity.
  • Confidentiality – the application does not disclose information erroneously. OWASP advises that applications be programmed to collect and disclose only the data that is required for business use.
  • Integrity – the application attempts to mitigate the risk of data corruption.


Consider the data exposed to the applications on your smart phone; information on your contacts, credentials to email accounts, and possibly credentials to financial sites, just to name a few.

A survey of 100 consumer mobile applications conducted by ViaForensics found that 76% of apps stored unencrypted user credentials. The survey also found that private data could be recovered from 60% of these applications. The risk of credential sniffing or session hijacking is enhanced for those users who retain active sessions with a website.

OWASP recommends that data stored or transmitted from the mobile device be encrypted. The choice of encryption solution will vary depending on the enterprise requirements. In any case, developers should design code that does not store/cache sensitive unencrypted data.

All sensitive data should be transmitted to a server via a secure network connection and deleted from the mobile device. Sensitive data should be stored in an encrypted form if network connectivity is unavailable.

Data Purging

Data retention extends beyond its familiar consideration in the handling of data outside of software applications. OWASP warns that applications retaining data beyond the period required for processing increases the chance of data leakage.

It advises that developers destroy sensitive data such as GPS coordinates or financial data once an application utilizes it. Additionally, all data that exceeds a specified retention period should be deleted.

The Kill Switch

According to a study by the Department of Health and Human Services, over 116 cases of mobile device loss or theft led to the exposure of at least 500 patient records between September 2009 and May 2011.

This is but one case where applications lacked access to the common API that allows the deletion of data or disabling of the device remotely. OWASP recommends that this API is accessible by all applications that store/process data on the device.

The next installment in this series will discuss the management of user credentials on mobile devices. Some of the controls will include the use of authorization tokens and the limitations on SMS as a communication channel. This installment will also cite the common tools used to exploit poorly secured mobile devices.


Steven F. Fox provides security guidance to ensure compliance with Federal standards and requirements as a Senior Security Architecture and Engineering Advisor for the IRS. Fox contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup and the Security and Privacy workgroup. He brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, an IT Auditor and a systems engineer with principles from behavioral/organizational psychology to address security challenges. He is a syndicated blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Security BSides Detroit. Follow him on Twitter - Join his LinkedIn network -