Security and Rapid Mobile Application Development

: @orinthomas When Microsoft created the Security Development Lifecycle, which is one model of secure software development, it required that security be considered from the outset. Making an application secure after you've written it is a lot harder than making it secure from the beginning. With operating systems becoming better hardened against attack, exploits have moved up the stack to applications. As Pwn2Own shows, attacking something like Flash is more likely to work than going after the browser or operating system. Which brings us to the problem of rapid mobile application development. It is received wisdom that smartphones and tablet devices are performing are taking on an increasingly important role in the enterprise. App development on mobile platforms tends to be done with the goal of releasing quickly. Getting your app to the store is important. You can always release updates once you're there and generating an income stream. As Dark Reading notes in this article: "coders … throw all of those secure development principles the industry has fought over … right out the window when it comes to mobile apps" The recent security issues with Google Wallet indicate that it just isn't the small mobile app shops that are ignoring security as a way of getting the app in the public's hands. Until the mobile app industry develops a culture of security, current apps are going to be as exploitable as a Windows 95 box connected to the Internet without a firewall with the hostname youcannot.hackme.net.au At the moment the easiest way to get malware on a device (at least on Android) seems to be to try to publish it to the Android store (as the gatekeepers seem to have a post hoc approach to weeding out malware published as apps). However, at some point in the future hackers are going to start to exploit the applications running on mobile devices themselves. Given that mobile app developers don't seem to be considering security (and it's not like the app s

Orin Thomas

February 20, 2012

2 Min Read
ITPro Today logo in a gray background | ITPro Today

: @orinthomas

When Microsoft created the Security Development Lifecycle, which is one model of secure software development, it required that security be considered from the outset. Making an application secure after you've written it is a lot harder than making it secure from the beginning.

With operating systems becoming better hardened against attack, exploits have moved up the stack to applications. As Pwn2Own shows, attacking something like Flash is more likely to work than going after the browser or operating system.

Which brings us to the problem of rapid mobile application development. It is received wisdom that smartphones and tablet devices are performing are taking on an increasingly important role in the enterprise. App development on mobile platforms tends to be done with the goal of releasing quickly. Getting your app to the store is important. You can always release updates once you're there and generating an income stream.

As Dark Reading notes in this article:

"coders … throw all of those secure development principles the industry has fought over … right out the window when it comes to mobile apps"

The recent security issues with Google Wallet indicate that it just isn't the small mobile app shops that are ignoring security as a way of getting the app in the public's hands. Until the mobile app industry develops a culture of security, current apps are going to be as exploitable as a Windows 95 box connected to the Internet without a firewall with the hostname youcannot.hackme.net.au

At the moment the easiest way to get malware on a device (at least on Android) seems to be to try to publish it to the Android store (as the gatekeepers seem to have a post hoc approach to weeding out malware published as apps). However, at some point in the future hackers are going to start to exploit the applications running on mobile devices themselves. Given that mobile app developers don't seem to be considering security (and it's not like the app stores are fuzz testing) - it's likely that hackers will find exploiting popular mobile apps as easy as shooting fish in a barrel.

---

My book Windows Server 2008 R2 Secrets is for experienced Windows administrators who are new to Windows Server 2008 R2 and don't need a lot of basic introductory level material. If you are looking for a book on Windows Server 2008 R2 that will tell you stuff you don't know rather than reiterating stuff that you do, it might be right for you.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like