Mobile App Security - This is Not Your Mother's Web Security
Sitting in a ski lodge in Jackson Hole, I interview Mike Zusman, mobile security expert, on how mobile security is a whole different ballgame than traditional web app security. Why? The answer might surprise you.
(Full transcript after the break, or download MP3 audio here)
Pete: Hey, it's Pete. I'm in Jackson Hole today and I'm hanging out with a good friend of mine, Mike Zusman. And, Mike is the founder of Carve Systems- a security consultancy. Mike is a pretty well known security researcher in his own right. So, we actually rode some powder today- hit the mountain, and decided why not squeeze in a g33ktalk. [To Mike] Thanks for sitting down and chatting.
Mike: No, happy to be here. Thanks.
Pete: We have an interesting topic lined up. Mike's going to refresh himself a little bit as we're talking and actually we even have a little fire place action. So, make it a little cozier in here.
Mike: For the true mountain vibe.
Pete: Yea, totally. Why not do something different right? So, we want to talk today about mobile application security, and what you can do to secure your mobile apps. If you're a developer, how should you be thinking about security in terms of mobile devices and mobile applications? What are some best practices? What are some architectural issues? What are the main things that you should be worried about and concerned about as you're building and architecting your application? So, Mike, your background is as a programmer, as a sometime/one-time hacker, as a-
Pete: -security consultant... Just fill us in and tell us how you got interested in mobile security in the first place.
Mike: So, a long, long time ago, I was an application developer myself. I was programming on the Microsoft web technology. So, classic ASP, COM, Visual C++ back in the day, around- up until about 2004 when a made, kind of a little shift in my career and I went to work for a SSLVPN application firewall vendor. And, that's where I started to focus a little bit more on breaking applications, and having been someone who had written both secure and insecure applications, I took to it pretty easily. Coming out of working for this app firewall vendor, I went into more of a pure corporate AppSec role and lasted there a little bit before I just went full-on into AppSec consulting, and being a breaker and someone who helps fix security vulnerabilities.
Pete: And, you've spoken at conferences as well, right?
Mike: Yea, I've been at BlackHat and DefCon and CanSecWest...
Pete: What's the most basic thing that a software engineer should realize when they're approaching mobile application security? How is mobile app security fundamentally different than regular web app security, for instance?
Mike: So, when you're creating a web application, we kind of have a little bit of a walled garden mentality. We can put comments in our code and can do sloppy things because we don't have time to do them properly. And, they sit on our web server, and as long as that web server doesn't get hacked, or compromised, our dirty secrets are somewhat safe. But, when you're writing a mobile application, it's similar to writing off the shelf software that's going to be in a retail box, or that you're going to get on a DVD. The software's going to be in someone's hands. They're going to have the ability to reverse engineer it and figure out how you wrote it, and see that- OK, maybe you've architected and implemented it properly, or maybe you made some mistakes with regard to security and privacy.
Pete: And, not to mention that they have control of the physical device as well, right?
Pete: Which, physical security is sometimes an overlooked aspect of computer security in general, but most computer security professionals know that if you get access to the physical device, in most scenarios, it's pretty much game over.
Mike: Sure. We have that same problem with laptops. But, with laptops, we have additional controls. We have full disk crypto and things like that and we have access control, we have domain policies, and there's a lot of hardening that can be done to a corporate device or even a personal device. A personal laptop that if you happen to lose it, your risk is somewhat controlled. But, with these mobile devices, they're not as mature. We don't have a lot of the controls or the ability to harden or lock down these devices as we do with a laptop. So, if writing an application that deals with potentially sensitive data like credit card data or even just email, how you store that data on the device becomes very important. If that device is lost, or stolen, or even jail broken now- Now that we're developing on these sandbox environments on a mobile devices, there's sometimes an err of, 'well, the OS is going to handle this stuff, so we don't need to handle it as developers.' But, once a user jailbreaks their device, a lot of that security is removed. So, now your application is in a far more hostile environment than you original thought it or expected it to be.