You can't secure what you don't acknowledge.SM

Thursday, February 28, 2013

Mobile app security assessments

I wrote recently about performing source code analysis for mobile apps. I'm seeing some crazy stuff that I didn't think I'd see in mobile apps (but I'm not really surprised) related to session manipulation, hard-coded cryptographic keys and the like which underscores the importance of the exercise.

But there's another side to mobile app security assessments - it's simply manual analysis. That is poking around with the apps and the mobile devices using good tools and proper techniques to find and demonstrate security and forensic-related flaws that aren't uncovered in traditional user, functional, and QA testing. In recent application assessments, I've found things like:
  • login-related weaknesses
  • information mishandling
  • insecure interactions with external applications/systems
  • exploits in general functionality that put PII at risk
Odds are good that you or someone you know is rolling out a new mobile app. Or perhaps you were an early adopter and need to validate that your existing apps are reasonably secure. The question is: What are you doing to ensure things are in check? 

Like I say about a lot of things related to information security...do it yourself, allow me to help, or hire someone else - just do something.

No comments:

Post a Comment