Is there a secure app for that?

by Trang Huynh

Mobile applications (a.k.a. “apps”) revolutionized the way we use mobile phones. Mobile apps became a global sensation with the emergence of the trend-setting Apple iPhone and its successive assembly of competitors; most notably, the Google-based Android smartphones. Currently, there are hundreds of thousands of apps for smartphones available on the market.

One of the significant benefits of apps is that they provide an easy and convenient way for mobile phone users to connect to the Web while on the move. Typical usage of apps includes accessing personal and work email, social networking, and banking.

However, with increased popularity also comes increased security vulnerabilities. According to appWatchdog, some major vulnerabilities found in mobile apps include:

• Unsafe sensitive data transmission - some apps do not validate security certificates and therefore are vulnerable to man-in-the-middle attacks exposing personal data such as full user name, password, and account data.
• Unsafe sensitive data storage - some apps save the user's password in clear text, which could be accessed by an untrusted entity.
• Likewise, some apps insecurely save user's data to the smartphone, thus allowing recovery of financial information viewed in the app.

For example, a recent article from InformationWeek (Vulnerabilities Found In Banking Apps) noted that security holes found in Android and iPhone apps from PayPal, Bank of America, Chase, and Wells Fargo could give attackers access to financial data. The article also pointed out that major vulnerabilities encountered included some apps failing to validate security certificates, leaving them vulnerable to man-in-the-middle attacks.

To counter this threat, the developer of the app (or manufacturer of the smartphone), could get their product evaluated against a well-known security standard such as the Common Criteria or FIPS 140-2. This would not only enhance the security of the product but also improve marketability.

As a consumer of the app (and the smartphone), awareness is key! It is often the case that user carelessness instead of technological threats impose great risk to sensitive data stored on smartphones. Some “best practice” suggestions for securing your smartphone include:

• Pick your apps carefully (e.g., choose apps from trustworthy sources only)
• Be aware of what the app asks you to do (e.g., accepting an unauthorized SMS message)
• Disable apps that are not needed
• Keep your smartphone operating system and apps up to date
• Use caution when browsing the Web (e.g., use anti-malware protections, firewalls, etc.)
• Use the available, built-in security features (e.g., enable PIN/password protection, encrypt stored sensitive data).

For related reading on smartphone security, check out blog entry (Root of Trust in Smartphones) written by my colleague Courtney Cavness.