Mobile apps are quickly becoming the dominant interaction pattern for users of smartphones and tablets.  A report by comScore highlighted that “82% of time spent with mobile media happens via apps”1.  Browsing behavior of mobile users is taking place within app stores and they are leveraging the apps to perform specific tasks or access information.  For enterprises this means that mobile apps become not only the primary means to engage consumers but also to connect with partners and empower employees.  As enterprises ramp up their mobile app development efforts a new level of attention needs to be paid to defending these apps.  

The security risks enterprises face when deploying mobile apps include data disclosure, malicious data injection, tampered app logic, broken cryptography, among others.  An enterprise app can encounter attacks of this sort from malware on the mobile devices or by malicious users who have either stolen or hijacked the mobile device.

Several recent reports have put the spotlight on the continued rapid growth of malware and exploits targeting mobile devices2, 3.   The implications of this for mobile apps is that developers have to in fact begin with the assumption that the device on which their apps will run might be compromised, particularly on the Android platform.  Given the popularity of Android4 developers cannot just stop serving this market therefore they must begin employing techniques that will raise the security posture of their apps.

One of the primary approaches to security has been to detect and catalog different forms of attacks so that countermeasures can be devised.  The irony of this approach is that the ability to defend your mobile app is indirectly tied to success of the attack.  When an attack spreads it becomes more easily detectable.  Given the infinite number of potential attacks this approach does not scale and it is next to impossible to be anything more than reactive.  Emerging trends also point to attacks that are more targeted and significantly harder to detect further eroding the effectiveness of this approach.  As you may heard, only recently has a malware called Flame came to the attention of security researchers possibly many years after it was first released.  It was sophisticated enough to selectively pick its targets and even erase itself after extracting the information it wanted.  In addition, organizations may not even have the visibility to deliver or enforce detection of known attacks, especially on devices used by consumers or partners.

The question becomes – how can organizations be more proactive in delivering safe mobile apps that mitigate the risk to trust relationships these organizations have forged with their employees, customers and partners? Instead of focusing on the inbound attacks and trying to counter them one at a time, imagine if we could remove vulnerabilities within the mobile apps themselves that malware and exploits capitalize on.  Enumerating potential vulnerabilities for a mobile app requires research but once armed with this understanding it becomes much easier to identify these vulnerabilities and cost effectively patch them during development and test phases.  Research into vulnerabilities assesses the platform on which the app will run the frameworks the app employs and the technologies the app is built with.  This ongoing research is encapsulated into vulnerability testing platforms such as IBM’s AppScan.

Because of the potential of high volume interactions with mobile apps and the significant implications of security breaches on organizational reputation, intellectual property and even government oversight there is growing awareness of vulnerability testing for mobile apps.  Mobile app development trends are also facilitating the adoption of vulnerability testing in the development process.  For example, because of the economics of a mobile app, many organizations are gravitating towards hybrid apps were core app logic is built using web technologies – HTML5, JavaScript, and CSS.  Significant vulnerability research into web applications over the past few years can now be applied to the web elements of hybrid mobile apps not to mention pure mobile web apps.  Therefore, mobile development teams can begin instituting vulnerability testing into their app development and test cycles.  There is also a race to complete the research of vulnerabilities for native Android technologies so that native Android apps and the native elements of Android hybrid apps can remain safe even in the face of a growing malware and exploits threat.  In fact this race is now pretty much over based on the announcement from the IBM Innovate conference this week.  If you are attending Innovate do connect with my colleagues on the AppScan team and they can showcase technology that will add a whole new dimension to vulnerability testing practice.