Looking back, it's easy to see just how revolutionary modern smartphones have been in their scant seven years on the market. It's also fair to say mobile apps served as the catalyst that propelled them to where they are today. But despite all the jaw-dropping, insanely useful things these pocket-sized devices do, security-conscious tech consumers realize they also open users up to a slew of hacks, attacks and general security concerns. Progress rarely comes without problems.
As a direct result of those concerns, the burgeoning world of app security (AppSec) focuses on one high-level question: If apps aren't going away anytime soon, how can they be made as safe as possible? The answer comes down to identifying the format's core vulnerabilities and inherent flaws.
The Information (Theft) Age
Phones are tiny, and they contain a lot of information that users would rather prying eyes didn't see — that's the heart of the biggest security problem with mobile apps. Whether you're accessing an enterprise sales portal or putting your credit card number into a retailer's official app, sketchy people will want to take your info and use it for nefarious ends. Even more concerning is the fact that these theoretical thieves have two routes of attack: physical and remote access. In a physical attack, some jerk steals your phone, notices you left your SSN in plain text somewhere, and goes on a credit card bonanza. The remote part is the same thing, done remotely.
From a high-level app security standpoint, protecting this information requires two distinct kinds of actors. First are developers, who must take every precaution possible to ensure sensitive info stays secure. Second are users, who must be smart with how and where they apply that sensitive info. A shopper shouldn't send credit details over an unsecured Wi-Fi network, for instance.
A Piecemeal Approach
Standard operating procedures in the development world also conspire to give app security experts headaches. Today's software — especially complex code designed to transmit sensitive data, as opposed to mobile games and the like — is hardly ever built by a single team, and keeping third-party vendors and other outsourced software products safe is considerably harder than doing the same with first-party segments.
Combine that with the aforementioned issues of information theft and the portable, less-secure nature of mobile apps, and you have a potentially scary situation. An attacker who knows an app's third-party components weren't crafted with the same dedication to security can direct a focused attack on just that aspect of a product, then use info or access they glean to move onto bigger, "better" things.
Expanding the definition of "third party" to popular open-source solutions like libraries and encryption services further complicates matters. While access to a component's source code is generally preferable to having no access, fixing that code isn't always an option for time- and resource-strapped devs; this, in turn, can result in multiple products from various companies sporting the same flaw, making them ripe for the picking across all the mobile operating systems that support them.
The Broadening Perimeter
In addition, every bit of first- and third-party code a company makes available for mobile expands that company's digital perimeter. The same can be said for software that, while designed for mobile, doesn't necessarily qualify as an application — take web apps, digital marketing materials and other mobile-accessible online assets, for example.
Problems with this sort of expansion come in multiple forms. Any given mobile app may contain a security flaw that attackers haven't discovered yet (or found within that particular app); if the company forgets about it, it has effectively left an unlocked door for intruders to find later. Though rarer in practice, perimeter issues also arise when updating an outdated app is left up to the user: Attackers could target users who haven't run an update, taking the providing company out of the security equation while simultaneously exposing it to great risk.
Veracode's flip-book on the top five AppSec villains compares mobile apps to Frankenstein's famous creature, and for good reason: They're incredibly powerful and revolutionary, but they also come with a number of possible security issues. If you build software for mobile users, it's up to you to approach your products with an AppSec-focused mindset. Whether you fear customers visiting your offices with torches and pitchforks or slightly more realistic outcomes, it's safe to say mobile represents a whole other creature in the software game. Staying on top of security now is by far the best way to contain it.
Photo Source: Wikimedia Commons