The Apple iPhone "app for that" commercials have become so ingrained in pop culture that it's a running joke, a catch line among many folks. There is even a website that parodies the ad campaign. But, it's true, these days, whether you want to use Facebook and Twitter, bank online, or find the nearest Thai restaurant, you can find an application to help you get it done.
While mobile applications are cropping up for every use, security has failed to catch up, according to Chris Clark, a principal security consultant at iSEC Partners and co-author of the recently released book Mobile Application Security.
Also see The Top 5 Stupid Things People Do With Mobile Phones
Clark said the impetus for the book was the abundance of mistakes he and his colleagues witnessed when consulting with clients about mobile applications; mistakes that lead to valuable data being exposed to attackers, and many mobile web applications were susceptible to common attacks such as Cross-Site Scripting or SQL Injection.
Here Clark offers five simple application security tips for developers, and for IT folks who deploy mobile applications in the enterprise.
Tip 1: Don't forget basic security practices when it comes to mobile applications
Clark says while this might sound basic and obvious, it is painfully lacking in the development community when it comes specifically to mobile applications. "I don't know if it's psychological or what, but people say "Oh, it's mobile' and just forget about security," said Clark. "I've seen many experienced development shops that tend to forget everything they know when they start to develop mobile applications"
So many enterprises develop mobile applications that are an extension of a business application that is already being used in the organization. The same security concerns apply, and then some, said Clark.
Tip 2: Consider the unique risks of mobile devices
"One of the risks developers don't think about is simply the mobile form factor and the risks that come with it,' said Clark. "Mobile devices are more easily lost or stolen than a computer.
Since mobile devices are more likely to go missing, mobile applications should be built with that in mind. The application should use the device's encryption functionality to protect data at rest.
Tip 3: Don't allow sharing of authentication information between sites
Clark said studies have shown that entering a secure password on a mobile device takes 31 key presses, as opposed to just 12 on a computer keyboard. The point is: Mobile passwords are notoriously insecure. If users use the same password on both mobile and main applications, and it is cracked on the mobile device, that means the password for the main application is also revealed.
"Don't degrade your overall authentication mechanism by sharing credentials between main and mobile," said Clark.