San Antonio based web application security specialist Denim Group has been airing its opinions on the security challenges facing developers looking at mobile app creation.
The company asserts that mobile applications can be (especially) challenging to develop securely because they have “a very different threat model” than traditional web-based applications.
So what does that mean?
Dan Cornell, Denim Group CTO says that these apps are typically developed so that a significant part of the processing runs on the mobile device itself.
“However because the devices are under the control of potentially-malicious users, developers have to expect these devices to be rooted or “jailbroken” so platform security features might be disabled. In addition, application code that is sent to run on the device might be run through testing tools such as a debugger or network traffic proxy, and application binaries can be disassembled and reverse engineered,” he said.
It is because of this scary reality that security-critical decisions such as authorisation must be handled on the server side or at least confirmed on the server. This in turn means that developers should expect any “secrets” or proprietary algorithms sent to run on the device to be viewed and analysed by malicious users.
According to Cornell, “Mobile applications are typically developed for specific platforms such as Android, iOS or Blackberry and little or no code can be shared between these environments because they use different programming languages and Application Programming Interfaces (APIs). This places developers in a situation where they are always struggling to keep pace with the advances of their technologies and where attackers often have deeper insight into security-critical functions and libraries than they do.”
Cornell is logically and “obviously” vocal on this subject as his company sells security solutions in exactly this space, but he makes a frighteningly (literally) good point.
It appears that some mobile application development platforms such as iOS for iPhones and iPads use Objective-C and other languages that are more susceptible to buffer overflows, format string attacks and other classes of vulnerabilities that are not typically of great concern to web application developers.
So, is this a wake up call for the coding masses? No, I’m sure there is a general awareness of some of these issues. Is it insightful and even just a little bit scary at the same time? I’m saying yes, would you argue with me?