News

Security Experts: Time Needed for Secure Mobile App Development

• By Rutrell Yasin
• 08/08/2011

Speaking at a tech summit last week, security experts agree that to develop secure mobile apps, an investment in time to apply the correct testing and auditing techniques is worth the effort.

Mobile devices are fraught with security risks, but it is still possible to develop secure mobile applications if developers are willing to invest the time and apply the proper auditing and testing techniques, according to security experts speaking at a tech summit Aug. 4.

"Right now mobile security is in a pretty dicey place," said Andrew Hoog, chief investigative officer with viaForensics, which provides forensic analysis and security techniques to ensure that mobile applications protect users' sensitive data and identity. The company has developed forensic and mobile tools for Android and iPhone smart phones that can be downloaded for free.

The company is poised to release a review of 100 popular mobile applications and plans, Hoog told attendees at CompTIA's Tech Summit on Cybersecurity in Washington. CompTIA is a trade association that promotes the global interests of IT professionals and companies.

Ten percent of the applications reviewed store passwords in plain text, Hoogsaid, giving a sneak preview of results of the viaForensics testing. Twenty percent of the financial applications failed, and, overall 83 percent of the apps either failed or got a warning about the types of data of being stored on them.

"The good news is: 17 percent passed," which means "it is possible to develop secure mobile apps," Hoog said. He noted that viaForensics just scratched the surface, looking for basic information but recovered enormous amounts of data on these mobile devices.

The consumer can't change the status of current mobile applications that pose risks. "The folks that need to change are the people who write the applications," Hoog said. However, developers don't have all the secure development life-cycle tools in place now because mobile technology is changing rapidly, he said.

Best practices for how programmers should apply mobile security are just beginning to be developed by organizations such as The Open Web Application Security Project (OWASP), he said. The focus currently is on identifying the primary attack vectors.

"It's possible to secure mobile apps," he said, but it requires a slightly different mind set. Mobile apps are downloaded onto phones but at the same time communicate with Web services behind the scenes. As a result, many technologies have been thrown together, creating a challenge.

"OWASP and organizations like that are doing a great job of evangelizing the cause for strong application security," said Brain Contos, director of global security strategy and risk management with McAfee.

Some companies want to take lessons learned on the Web side and apply them to mobile, he said.

"There is this massive chasm between network security and application security, and mobile, being a piece of that fundamentally, has a very quick catch-up time to mitigate [risks in] that front window," Contos said. "It's going to be a tough time."