Sunday, November 7, 2010

Mobile Application Insecurity

Being someone who has develops secure mobile applications, I am consistently dumbfounded at large enterprises (who should know better) that fail to secure their mobile applications. A recent article in The Wall Street Journal highlighted some findings by viaForensics which pointed out several banking applications for mobile devices that store passwords unencrypted on devices.

The banking industry is no stranger to security concerns. They are indeed one of the largest purchasers of security products and services globally. The rush to bring mobile applications to the marketplace by enterprises has not overlooked financial firms, however, and they are simply not applying basic principals of secure application development - such as build security in from the very beginning, and test the security before deploying the applications. I am absolutely floored by the number of financial applications available on the iPhone (for example) that do not require something as simple as a PIN to enter the application after storing the password (let alone encrypting the password).

It is carelessness at best, and completely irresponsible at worst. Banks, Large Enterprises, and Health Care organizations should make maximizing security a priority with any and every application that deals with ANY potentially sensitive information...and they consistently fail to do so often enough to convince me that there will be a lot more breaches before things get better.

What I also find remarkable is how a company like Apple, who scrutinizes application submissions and regularly rejects applications that use foul language, show nudity, or (God forbid) replicates Apple functionality. Yet Apple does not bother to reject applications submitted by banking and health care organizations (the latter being something I am personally well aware of) that fail to encrypt information. Is this their responsibility?

Yes it is!

Security is everyone's responsibility, and until we understand that, we will continue down the same path with every new technology, platform, and latest and greatest thing that comes down the pike.

You can bank on that.

1 comment:

Larry said...

This was a great article Mike and is exactly what I am in the middle of in reference known security issues in the smart grid. I break it down as "pre-Plan A", needed deployment of immediate security solutions, "Plan A" deployment of current security with methods to immediately changing the security and "Palm B" shut the doors, shut up and prepare "Plan B".

As we both know in many cases we are still in "pre-Plan A. I could tell you about a lot of these security issues but I have a greater respect for "loose lips sink ships" than I used to. As I fight to get known security solutions recognized I keep looking for that room where I can just shut the door with some responsible people and get the job done. That of of course would put responsibility before profit which is hard to do now a days. I look forward to Smart Grid Security East. Let find a place to shut the doors and talk about "Plan pre-A, A and B?"