by Derek E. Brink

Security and mobility

Dec 13, 20124 mins
Mobile Apps

Security doesn’t always get the attention and mindshare it deserves, particularly in the red-hot area of mobile devices such as smart phones and tablets.

The announcement that Microsoft acquired PhoneFactor, an established provider of phone-based authentication solutions, spotlighted Out-of-Band Authentication (OOBA). OOBA represents a scenario in which an end-user enters their username and password to access an online resource, and also respond in a different band or channel (e.g., a phone call, or a text message) as an integral part of the authentication process. Similarly, an OOBA approach can be used to ask the end-user to verify an online transaction.

OOBA is widely accepted as a financial services industry tool for stronger assurance of user identities. The general approach is that a login or transaction deemed to be outside the normal thresholds or patterns of behaviour – and therefore more risky –results in the end-user being asked to give an appropriate response in the phone-based channel.

It certainly doesn’t hurt that OOBA solutions leverage what is arguably the most ubiquitous, personal and indispensable of all end-user devices – the mobile phone. All of which is good news for solution providers such as Microsoft/PhoneFactor, Authentify, RSA, Entrust, Swivel Secure, and StrikeForce Technologies.

Stuck in the Middle: Your Android Apps are Leaking Your Data

In October 2012, German researchers at the Liebniz University of Hannover and Philipps University of Marburg published Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security, describing their analysis of some 13,500 free applications available for Android devices from the Google Play Market.

Specifically, the researchers sought “to better understand the potential security threats posed by benign Android apps that use the SSL/TLS protocols to protect data they transmit.” Some of the findings related to Android’s SSL-related vulnerabilities include:

  • 1,074 apps (about 8%) contain SSL specific code that either accepts all certificates or all hostnames for a certificate, and thus are potentially vulnerable to Man-in-the-Middle (MITM) / Man-in-the-Browser (MITB) attacks – a reference to scenarios in which the attacker hijacks an online session by inserting himself transparently between the end-user and the legitimate web site.
  • Of 100 apps selected for manual audit and analysis, 41 were vulnerable to MITM attacks due to SSL misuse.
  • Of these 41 apps, researchers captured credentials for American Express, Diners Club, PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, and others.
  • Among the apps with confirmed vulnerabilities against MITM attacks, three had installed bases of 10 – 50 million users each, and the cumulative installed base for all is as high as 185 million users.

When using apps that range from free to a few dollars we don’t have much individual clout.

Security for Mobile Apps

Compared to web applications, for example, mobile applications have a more complex attack surface; in addition to server-side code, they deal with client-side code and (multiple) network channels. And the impact of these threats is often multiplied, as in the common case where the mobile code supports functions that were previously server-only (e.g., for offline access).

This makes mobile apps more difficult for developers to address. Generally speaking, the mobile technology is unfamiliar, development teams are not as well educated, and it is difficult to keep testing teams trained on the latest attacks. One expert observed that from a security perspective, the market is at the same place today with mobile apps that it was with Web apps ten years ago.

It appears that the high-level strategies for securing mobile applications are still largely the same – i.e., elements of “find and fix” (discover and remediate vulnerabilities in existing code); “defend and defer” (protect apps by sandboxing or wrapping); and “secure at the source” (make security an integral part of the mobile application development lifecycle). So the question is not whether the application developers can do a better job – the question is whether their circus masters would rather see developer time spent addressing vulnerabilities, adding features, or accelerating time to market.

Derek E. Brink, BS, MBA, CISSP is vice president and research fellow for IT Security and IT-GRC at Aberdeen Group, a Harte-Hanks Company.