At AppSecEU last week, I attended Dan Cornell's (Denim Group) presentation on Security Testing Mobile Applications. You can view the slide deck on the Denim Group blog. Basically, Dan demonstrated how you can "root" the smartphone and then reverse engineer the application to do whatever you want. Slide 6 shows a "Generic Mobile Application Threat Model" for a SmartPhone app connecting to an enterprise application. It shows the following threats:
- Malicious User
- Malicious User (bypassing Mobile Client)
- Malicious Mobile Application
- 3rd Party Services (Possibly Malicious)
Nr. 3 is a malicious application which is installed on the smartphone and can interfere with other installed applications.
Nr. 4 is where the smartphone connects to 3rd party services which have been compromised.
Key Principles
So what are the lessons when developing enterprise type apps for smart phones? Here are a few thoughts. These are based in part on a short conversation I had with Dan after his talk*.
- Treat the smartphone as an "untrusted device".
- If possible, don't store confidential information on the phone.
- Develop your web services securely, as an attacker may discover the web services and attack them directly - bypassing the smartphone completely.
- Your web services should validate any input data and perform the necessary authorisation, access control, business logic checks etc.. Any validation performed on the phone should be repeated by the web service
- Use SSL to prevent man-in-the-middle type attacks.
* These may not be an accurate reflection of Dan's views!
Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot
Well put. This is the reason why I'm not too enthusiastic about the idea of linking credit cards to smartphones.
ReplyDeleteblackberry unlock code