December 9, 2013
We live in a BYOD – Bring Your Own Device – generation. Our mobiles are becoming as powerful as our desktops once were and the issue of security is prevailing as new technologies are released and information thieves get even craftier. Mobile devices are incredibly vulnerable depending on the apps they run, even more so than computers in many cases. While most client-server applications ran within the confines of a LAN or corporate WAN, mobile apps are running outside of the confines of corporate networks and are accessing services across the public Internet.
A key element in mobile application security design is making sure that the app itself or the browser app does very little processing – the code on the device should do as little as possible. As much as possible should be done via the backend. Encryption through Secure Socket Layer (SSL) is the most basic backend security for mobile apps.
There are a few ways attackers can gain access to your mobile device:
- Attacker steals or accesses lost device
- Malicious app
- Reverse engineering of an app
What is it that attackers are looking for?
- to your device
- to your external services (banking, email, etc.)
- full name
- ID numbers
- address book data
- location data
- card numbers
- CVV number
- sniff your connections
- use your device
- steal sensitive data
What is attackers’ threat model?
When an attacker gains physical access to a device, even if it’s temporary access, the attacker can jailbreak or root the device and install their code or copy the disk image.
Another risk is if your device is stolen because any web application will expire your login after a limited amount of time, but mobile apps don’t do usually that. Because of those mobile sessions rarely expire, which creates an opportunity for attackers to intercept traffic and even pretend to be the user. This is why it is important to encrypt data stored on your mobile device – something best done through third party support security.
Diagram by Denim Group depicting mobile threats:
So, we put the question to you. How safe is your data?
How often do you put in your credentials without thinking twice? Or sign up on a website through your mobile without checking the security policy? Who do you get your mobile apps from? Beware of what you install on your mobile devices, where you enter your credentials and where how you store data.