Mobile App Security - OWASP and Other Ways to Get Started
Mike and I discuss the OWASP organization (http://owasp.org) as well as methods for getting started on evaluating the security of your own mobile applications.
(Full transcript after the break, or download MP3 audio here)
Want to know when episodes are posted? Follow @g33ktalktv on Twitter for updates.
Want to hear from more top engineers?
Our weekly email contains the best software development content and interviews with top CTOs. Enter your email address now to stay in the loop.
Mike: A couple of things I've already talked about have already come off the OWASP top ten list for mobile, which is a list that myself, Jack Lanier, Zack Mannino, and a number of other people in the application security community collaborated on to put together this list of top ten risks for mobile.
Pete: Yea, OWASP is a great organization.
Pete: And highly recommended for all the geeks out there that want to learn more security in general- application security specifically. There's projects- one that covers mobile that you mentioned, that you're involved in. And a wealth of other resources and information there. So I highly recommend that geeks out there check that out.
Mike: So, one of the things- and it's actually number two on the OWASP mobile top ten is to- the number two risk is essentially weak server side controls. So, I just consider it a pointer to the original OWASP top ten for web applications, which was a widely accepted list of standards- standard risks and vulnerabilities in web applications. It's something that other compliance organizations have taken to- for example, PCI- to be PCI compliant, you need to be scanned and assessed by the OWASP top ten list. So, when we're writing these new mobile applications, we need to remember that it's not just code going on the client anymore. It's potentially a whole new server side infrastructure and either a SOAP based web service or RESTful service. And, these new pieces of technology are ripe for attack. It's funny, when the iPad's first came out, within the first couple of days there was the first "Pad hack" where all sorts of private details and data about the initial customers who received their iPads was made public. It was essentially publicly available on the internet. And the reason for this was, essentially, poor server side controls. There was no access control on these web services that the iPad was communicating with. So, people could just bypass the iPad, fire up a web browser, talk directly to the web service and extract all this data. And that was labeled as an iPad hack, when really it's kind of the same thing we've been dealing with for well over a decade now. SQL injection, info validation attacks, improper authorization, lack of access control.
Pete: So, if I'm not starting from scratch- what if I'm a developer and I already have a mobile application out and maybe I didn't think through some of these architectural or sensitive data storage on the- maybe I didn't think through all those issues when I was originally architecting my app. What's the first thing I should do to try to secure an existing mobile application?
Mike: Sure. I would perform a code review for security, where someone looks at the code, line by line, manually, and assesses that code based on the current OWASP top ten risks for mobile apps.
Pete: So, I could do this myself as a developer, it's not necessary to hire and expensive security consultant. I could go to the OWASP and search or work my way through the top ten and do a code review of my own application for that.
Mike: Certainly. I mean, something as simple as data storage on the device- you know if you're storing sensitive data on the SD card. If you see yourself doing that, that's bad because that's basically a public location on the device and the application could access it. So, yea, I think it's certainly doable for a developer to start working through these risks and analyzing their own code.
Pete: How can the geeks reach out to you if they have questions about application security?
Mike: Sure. Well, you can always just Google me, Mike Zusman, and a number of things will pop up. My blog will pop up. You can also find me on Twitter. My handle is @schmoilito, which is not as easily spelled.
Pete: I think I always forget that last I. And, the name of your company is Carve Systems?
Mike: Carve Systems, yes.
Pete: Great. Awesome. Well, thanks for chatting.
Mike: Yea, thanks, Pete.
Pete: Security's a great topic. It's something I want to cover more, like I said, in future episodes. So, maybe we'll bring you back and do a deeper dive into something OAuth related perhaps.
Mike: Sure, definitely. Thanks for having me.