Secure Mobile Application Development
>> Tuesday, 9 July 2013
Mobile Security Challenges
Mobile security challenges stem from change in the threat model
associated with the products and services providing mobile applications
and interfaces. A threat model is a depiction of a system's attack
surface, annotated with possible threats and the ways in which critical
assets might be targeted. Threat modeling is the process of analyzing
threat information, determining which attack vectors a threat might
follow to compromise a system, and putting in place appropriate security
controls to protect critical assets.
The
relevant security risks and concerns depend on the architecture of the
mobile application. For example, a mobile application that only provides
the front end to an organization's website will have different security
concerns and challenges from an online banking application with a fat
client that deals with sensitive financial data.
In general, mobile applications have a different threat model from traditional Web applications.
Changing Attack Profiles
Because
of their wide accessibility, both Web and mobile applications face
attacks from a variety of directions: malicious mobile users,
third-party applications, and users seeking to directly access back-end
systems. However, with mobile applications, such attacks have a greater
chance of succeeding.
Malicious users. Mobile devices are often lost or stolen, providing malicious users greater accessibility to private user data and critical application credentials. Mobile applications that don't properly manage sessions or that provide local mechanisms for remembering user IDs and passwords are easily compromised. For example, sessions are often left open on mobile applications for long periods of time so mobile users can seamlessly pick up where they left off when bringing an application to the foreground. Not closing open sessions on a regular basis increases the likelihood that a malicious user can gain unauthorized access to critical data and applications.
