Mobile Application Security

Rapid adoption of mobile devices and mobile apps has created a significant and unbounded security risk for the enterprise. The mobile app threat is quickly progressing from simple “premium SMS and call” attacks that directly monetize by running up the victims bill, to full-blown mobile botnet functionality, such as the recently discovered Geinimi Trojan for Android phones. Enterprises must recognize the need to equip a mobile workforce with meaningful applications that allow them to be productive while maintaining the security of sensitive data on the device and internal networks.

Veracode currently provides application security verification for RIM’s BlackBerry operating system (OS), Windows Mobile, Google’s Android and Apple iOS.

Want to submit your mobile application for security verification? Click here to talk to us about Mobile Application Security.

Veracode's Mobile Application Top 10 Security Risks

There are 2 main categories of mobile app risks. The category of Malicious Functionality is a list of unwanted and dangerous behaviors that are stealthily placed in a Trojan app that the user is tricked into installing. The user thinks they are installing a game or utility and instead get hidden spyware, phishing UI, or unauthorized premium dialing.

A. Malicious Functionality

• Activity monitoring and data retrieval
• Unauthorized dialing, SMS, and payments
• Unauthorized network connectivity (exfiltration or command & control)
• UI Impersonation
• System modification (rootkit, APN proxy config)
• Logic or Time bomb

• Sensitive data leakage (inadvertent or side channel)
• Unsafe sensitive data storage
• Unsafe sensitive data transmission
• Hardcoded password/keys

To engage the community in a discussion about the "Mobile App Top 10" please go to our ZeroDay Labs Blog and post a comment.

To review the "Mobile App Top 10 Details" please go to our Methodology Description.