Back to newsletter
The (In)security of Mobile Devices
Anatomy of a new type of risk
by Daniel Miessler
It wasn't long ago that being on the cutting edge of business equated to having a website. Soon after, it wasn't enough to simply have an Internet presence; you had to be interactive and engaging (see Web 2.0). But now there's a new standard. In order to truly compete in the second decade of the 21st century, you need to be in the mobile space.
That means you either have an iPhone and/or Android application or you're likely losing business to competitors who do.
Mobile by the numbers
How big is mobile? It's big. A study by Arc Worldwide recently showed that half of Americans already use a mobile device to shop, and according to Smart Insights, mobile device use tripled for the third year in a row in 2010. They estimate that global mobile data traffic will increase 26 percent by 2015 and that there will be nearly one mobile device per capita by that same year. Most estimates identify that year as the point at which mobile Internet use will overtake traditional use.
Complimentary White Paper
Application Security Intelligence Summit
This month's complimentary white paper is actually an invitation to listen to a complimentary Application Security Intelligence Summit hosted on HP Fortify's channel on BrightTalk.
Forward-thinking organizations have begun to adopt a holistic approach to securing applications rather than simply investing in perimeter defenses like firewalls and intrusion prevention systems. This Web summit offers a full day of webcasts featuring leading software security experts discussing the role of application security intelligence in enabling software security assurance programs to proactively reduce business risk across the enterprise. Speakers include Derek Brink, VP of Aberdeen Group; John South, CISO, Heartland; Dennis Hurst, founding member of the Cloud Security Alliance; Dave Wichers, board member of OWASP; and Fortify founder and CTO Roger Thornton.
Learn more ...
If you think about it, the numbers aren't that surprising. Until now we have only been able to use the Internet while at home or at work -- and that's for the relatively low percentage of people who had Internet access in those places. Nowadays, access is being brought to more and more people, but without the restriction of location. Give everyone a mobile device and suddenly people can casually browse, make purchases or conduct business wherever they are. That's a lot of mobile, and if you're in the security game, that's a lot of attack surface.
What's so different about it?
Many point out that we've had the Internet and a global website infrastructure of clients and servers for quite a while now and that we should be ready for mobile. After all, it's just the Web on a different type of device, right? Shouldn't it be the same? As it turns out -- no. The world making the transition to mobile Internet use presents a number of unique and interesting challenges:
- Physical access. It's a lot easier to secure a computing device when it never leaves the home or workplace. It's something else altogether when that device fits in a shirt pocket, where it can be lost or stolen very easily. Physical access is the first and arguably the most critical level of security, and having it under constant threat means additional controls must be put in place.
- Wireless opportunity. Another luxury that we have had with home and work computers is that they tend to be plugged in, so that people watching the airwaves can't pull data from nearby. Even if wireless is used in a house, the range is short enough so that an attacker would have to be near your home to take advantage. With mobile the threat is different: Attackers can simply go to where many people are, and they'll find plenty of mobile users to attack.
- Location fixation. So many of the applications that are popular on mobile platforms hinge on being location-aware. This is great for the user -- and great for an attacker. Securing that sensitive location information is paramount.
Mobile attack surfaces
When it comes to actually attacking and defending within the mobile landscape, there are three primary components to consider:
- Attacks against the device.
- Attacks against network traffic.
- Attacks against the server.
Attacks against the device are probably the most intuitive to people. One avenue is much like the stolen laptop scenario whereby a piece of hardware is stolen so that an attacker can attempt to connect to the system and pull data off of it. Common vulnerabilities here include unencrypted credentials and cached sensitive data that can be pulled off by an attacker.
Another type of threat against the device itself includes the installation of malware on the system that can lead to information leakage and even complete compromise. Attackers commonly install malicious certificates, reconfigure proxy settings and perform other modifications that allow man-in-the-middle (MiTM) visibility into user transactions.
One of the most dangerous vectors for mobile remains the network component, specifically the capture and/or modification of mobile network traffic by attackers. This is especially dangerous in public places where Wi-Fi is used, as many mobile applications switch to using Wi-Fi when it is available. At that point, tools such as Firesheep can be used to pull sensitive information right out of the air.
Credential-stealing attacks are possible because so few applications properly secure the sensitive data they use. Mistakes in this realm come in many forms, from failing to securely manage TLS/SSL certificates and their associated interactions to failing to use encryption at all (see Firesheep). Then there is our favorite Web application vulnerability of the last few years: encrypting only the login and then switching to cleartext. Unfortunately, developers in the mobile world haven't yet learned to avoid this pitfall.
With all this talk of mobile and its associated "new" attack surface, many tend to forget that most of the mobile applications we use are talking back to something. So, what's on the other end? If your answer was "Web components," you are correct. The vast majority of mobile apps are interacting with websites on the back-end, and many of them are Web services. This means old favorites like SQL Injection, cross-site scripting and cross-site request forgery step squarely back onto the stage.
That's the interesting thing about the mobile security landscape: it's not just the device getting malware, passwords being sent in cleartext over the network or someone MiTM-ing sensitive transactions. It's also about the Web infrastructure that hosts the app on the server side. This means that to truly look at the security of a mobile application, you need to look at all components, up to and including performing a Web assessment on the server side.
One may be inclined to think that the Web assessment component of mobile applications is likely to yield little fruit; however, since the industry has been aware of Web application vulnerabilities for some time now, this (sadly) is not the case. The development of mobile applications is often done separately from the mainstream Web application development within an organization, and separate organizations tend to mean separate coding standards and security practices.
So, first imagine a world in which most organizations already struggle with Web application security within their primary, high-profile Web properties due to lack of developer exposure to application security concepts. Now, think about a separate group of developers with even less exposure to, and knowledge of, security. That's who's building the back-end Web components for mobile applications right now, and it's a serious problem.
Putting it together
With mobile computing set to overtake traditional forms as soon as 2015, the mobile space is exciting for good reason. But the challenges to security in this new environment are every bit as real as the opportunities. Between the device, the network and the server components, attackers have plenty of surface area to choose from, and those looking to deploy mobile applications securely need to take a complete approach to their defenses.
Daniel Miessler is a San Francisco-based security consultant with Hewlett-Packard specializing in application security. He enjoys breaking Web applications, playing competitive table tennis and reading obsessively and dislikes speaking about himself in the third person.