The Challenge of Mobile App Security

For years, OWASP has published a Top Ten 10 list of web application vulnerabilities.  The list is a good place to start for organizations looking to improve the security of their applications.

With the rise of mobile, OWASP now publishes a Mobile Top Ten Risks.  Compared to the more familiar web app vulnerability list, the mobile list has some striking features.  The mobile app has all the security requirements required by web apps.  But special new measures are needed to protect the mobile app.  Using these new measures properly requires a very high degree of expertise from mobile developers.

The new security requirements are needed because of differences in the execution environments of web apps and mobile apps.  Web apps execute in trusted environments.  On a well configured system, there is no other software except what is needed by the web server and its app.  The server is typically is a room that is locked and physically secured.

Mobile apps execute in an untrusted environment.  For example,

  • User’s are free to download other apps on the mobile, and these apps may be malicious.
  • Mobile devices can be stolen.  Once in the possession of a black hat, commonly available tools let him disassemble the app, overcome much of the encryption, read filesystems, and generally see everything that is going on in the system.
  • Jail broken phones provide easy privilege escalation for malicious apps.
  • Some apps need offline user authentication which can open up security problems.

To combat these challenges, researchers have developed techniques like white box cryptography (WBC).  WBC seeks to protect cryptographic keys in applications by extremely sophisticated obfuscation techniques that scatter bits of the key in a multitude of cooperating routines and data structures.  The idea is to make key recovery so complicated that an attacker will be deterred.

The mobile app binary should protect itself from modification by running dynamic checksums on itself.  Since an attacker could look through the code and disable one or two calls to checksum routines, the checksum checking code should be scattered throughout the code with different signatures to make it hard to automatically remove them all.

Apps should detect if the device is jailbroken, and refuse to run.

The OWASP Mobile list has many more vulnerabilities and remediations listed.  If you are a mobile developer, you definitely need to read it.