Mobile Application Security - Separating Hype From Reality

Tuesday, April 12, 2011

Rafal Los


Mobile applications development has reached a fever pitch, and if your company doesn't have a mobile app... well then you're behind the times, right? 

While there are certainly valid business reasons to develop mobile applications there is an unbelievable amount of hype out there around the security of these applications -and I think it's time to separate hype from reality.

In this post, I will briefly address some of the confusion, marketing hype, and outright lies that I've heard and read... in an attempt to restore sanity and temperance to the situation. 

Remember, I'm a realist - and while I think it's really great that application security is getting a lot of attention - I'd rather see it get rational, sane attention over the irrational fear and hype any day of the week.

First, the Confusion

I think many of us out there are simply confused about just what mobile applications are.  It's OK, the topic is complex and not something that's simple to grasp and understand even for a seasoned security professional or application developer.

Mobile applications are applications that run on mobile devices such as your handheld phone handset, your tablet, or some other widget that is considered a mobile device

Mobile applications aren’t so different from regular applications – except they run on exotic operating platforms like Apple’s iOS, Google’s Android, HP’s WebOS, Microsoft’s Window 7 Phone, or the BlackBerry platform… and there are certainly others out there.  With such a wide variety of platforms there come a wide variety of language support and capabilities – each with their own unique quirks and challenges.

For example, developing for the Android operating platform amounts to writing code in Java (ref:, for a Linux-based operating system that’s highly modified by each individual handset vendor…this of course presents a vast number of challenges if you’re trying to write an application that utilizes the full potential of Android that will be usable across all of the Android mobile platforms. 

Writing code for Apple’s iOS (iPhone or iPad) requires you to learn Objective-C which is a reflective, object-oriented derivative of the C programming language… adding SmallTalk-style messaging (ref:  I could go on and on but you get the idea - each platform is different, the development style, sandboxing features and so on are different.

While I will admit, none of these languages are naturally security-defect-free; there is no reason to suspect that any one of these platform is somehow inherently more defect-prone than the others. 

Developing apps for each of these mobile platforms still breaks down to learning the localized operating platform, learning the development language, and writing good, clean, sane code.  This is no different than writing good web applications, or python, or Cobol for that matter... it's just code.

The confusion over the various platforms and inherent vulnerability breaks down to a very simple, and easily understandable point - these are all end-point devices.  Just like your laptop, these devices can be compromised by an outsider either when you browse a web site (Apple ref: or when someone gains access to your mobile device via other attack channels.  Remember - apps aren't the only way to compromise and infect a mobile device...

Once we've made our peace with the fact that mobile devices that run apps are just as susceptible to being over-run with malicious code we can start to see how mobile applications (or "apps") play into the picture.

Marketing Hype

Everyone is to blame equally for the utter travesty that is marketing hype around mobile applications and security.  The media is to blame for creating an insane amount of fear, security professionals and vendors are to blame for perpetuating this fear (or at least not arguing), and end-users are to blame for buying the craziness wholesale without doing a healthy amount of skeptical research first. 

That being said - the hype around mobile application security has reached a fever pitch - and I think that while the focus is turned to the mobile application installed on each mobile device - the bigger problem is being neglected entirely.

That bigger problem I'm referring to is the back-end systems that power mobile applications.  Mobile applications, after all, are just pieces of code that communicate with a back-end web server using HTTP or HTTPS requests.  The endpoint mobile application may do some processing but if you're really going to attack anything... it would be the application server listening for HTTP/HTTPS requests from that mobile application. 

I believe that the marketing hype around mobile applications has blinded us to the fact that under the covers these are all just light-weight client/server applications that talk HTTP/HTTPS to a back-end system -that's where the real dangers are.

If the marketing hype is to be believed, a security vulnerability in a mobile application can have catastrophic consequences... but let's look at that critically for a moment.  The pretenses we're operating under here (and a point I'm not willing to take for granted) is that the mobile platform is not compromised. 

Look down at your (legally) jailbroken iPhone and tell me you trust every piece of code on that device... now tell me the mobile "apps" you just installed is a bigger risk.  Really?

I believe if this matter is approached sanely, the mobile application should be treated like we treat Adobe Flash or other similar applications today which work in your browser.  Assume that the browser is compromised, and that the application can (and will be) reverse engineered. 

With those assumptions the only intelligent thing to do is assess and strongly protect the back-end system which is the application server.  This is where I suggest that we concentrate our efforts in the mobile application space ..Not because mobile applications aren't a risk - but because the application server back-ends are a risk many factors greater.

Outright Lies

Without feeling the need to call anyone out individually, I'll simply say that I've personally heard some "security experts" discuss mobile applications - the components you install on the mobile device - as the biggest up-and-coming threat to security.  Shenanigans. 

The biggest threat to security just coming over the horizon may very well be dealing with mobile applications - but it is most definitely not the mobile application itself... rather, the back-end application servers and systems which house the data, the logic and are the real targets for attackers. 

The real threats to these back-end systems are mistakes that developers have been making for over a decade now... including things like injection attacks aimed at manipulating or stealing data.  These attacks aren't new, only the venue and 'packaging' around the problem has changed with the shift to the mobile device rush.

In the end, I'm confident we'll gain some sanity and realize that while it may be important to analyze a mobile application for outright security defects - the more critical component is the supporting back-end system (the application servers!) which are being attacked over HTTP/HTTPS right now... without even touching that mobile device.

I hope you've found this post informative, and it's helped you cut through the fog that is mobile application security.  I'm happy to discuss or defend the points made here - and I know plenty of security professionals who have been echoing this for quite some time as well. 

My aim is to decrease risk... and the biggest impact I think we can have in the mobile application world is security testing the back-end application servers ...and making the right, sane assumptions about the mobile platforms we deploy our code to.  Comments?  Feedback?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
PDAs/Smart Phones
Information Security
Software Application Security Mobile Devices Operating Systems Development Consumers
Post Rating I Like this!
Keith Mendoza I feel that this article only addresses only addresses the issue that everyone who deals with client/server apps--particularly via HTTP or HTTPS. However, it doesn't address the issue when a user is installing an application that has a built-in trojan on it. I'm sure everyone heard of the android apps that were hijacked and had Android.Pjapps in it. In the case of Android users are notified of what features that app will use. Do users even bother looking through it and asking themselves whether the app really needs those features? I would say most don't and just hits accept without putting a second thought into it.

I've also seen some applications that ask for all kinds of permissions that I don't see why the application would use those? I can only assume that the app developer is using one of those development frameworks that simply requests for all features because they have modules in their framework that would need it. I personally think that developer frameworks should only use permissions that the module needs when the application uses it.
Rafal Los Keith - The issue of an application you're installing (willingly) being a trojan is an interesting one. I'm not sure HOW we solve that ...I do have some ideas. Check out my blog for a future post on the topic.
Keith Mendoza Rafal - Looking forward to seeing your post. I have a list of ideas--geared towards the Android platform--that I need to write in my blog myself.
Sara Hald I also think there is a huge risk of users infecting their own mobile devices with high-risk behaviour. Facebook is ripe with malware that users willingly spread by clicking infected links and installing rogue apps. While I agree that the back-end systems are definately targets, it is just so much easier have the users install the malware themselves and ensure that it has the right permissions to compromise your device. Just wrap it up in some vaguely believable "fun" functionality and make sure it spreads the love to all contacts. No reason to spend time and resources perfecting a sophisticated attack, when preying on users' gullibility is just as effective and much easier.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.