Old school flaws still haunt mobile Web apps

When using a BlackBerry, Android, iPhone or other smartphone, we tend to assume all the nifty Web apps on these devices are relativelysecure. At the least, we expect that a lot of the painful security lessons wereceived on PCs a decade ago have been applied to today’s phone apps.

But when Intrepidus Group researchers Zach Lanier and MikeZusman started taking mobile phone apps apart to see what makes them tick, theydiscovered that our assumptions have been wrong. At the SecTor 2010 conferenceWednesday, they walked their audience through some of the more glaring examplesof old-school flaws they uncovered in many Web apps for mobile phones.

The problems that need fixing are on the developer side, Lanier said. In therush to satisfy smart phone users hungry for new apps, the same mistakes thatwere made around 1999-2000 in the PC world are being repeated. After looking atthe more popular phones like Android and BlackBerry, the two discovered, amongother things, that:

– Intercepting one’s credentials on an app like Foursquareis pretty easy.

– Storage apps — popular among those who like to store andeasily retrieve music and video on their phones — contain security holes anattacker could exploit to cause a denial of service or bypass digital rightsmanagement controls.

– Carrier-based apps tend to trust you just because youhappen to be on the carrier network.

– Third-party apps are sometimes better than carrier-basedapps in this regard, but there’s still incomplete support for open standards.

– Man-in-the-middle attacks are fairly trivial across theboard.

– It’s trivial for a bad guy to replay a user’s pictureupload requests via a third-party upload app for BlackBerry and send their own,potentially malicious files to random accounts. Zusman said injection flaws inthe picture upload feature abound and that it was fairly simple to inject theirown XML attribute.

Lanier and Zusman concluded that in the mobile phone Web appworld there’s a lack of guidance, standards and best practices for developers.

“We learned about many of these weaknesses 10 yearsago,” Lanier said. “We’re forgetting the lessons we alreadylearned.”

By exposing these old-school problems, the researchers hopeto shake the developer community into a state of vigilance.

Over the course of their research, the duo relied on suchtechniques as white box source code review, black box code review that includedacquiring the Web app binaries, and lots of reverse engineering, disassemblyand decompilation, and network-protocol analysis.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now