On Thursday August 14th I’m speaking on a webinar for the Multi-State ISAC about Mobile application security. The webcast is at 2pm EDT, link to register here if you are interested. This is the third time I’ve supported webcasts for the MS-ISAC, (previous webcasts were about APT in December 2013, and Risk Management from December 2010), but this is the first time I’m the sole presenter, for which I’m honored. The MS-ISAC is the cyber security information sharing and collaboration body for state, local and tribal governments. It plays a critical role in helping these, often underfunded, organizations by providing alerts to cyber threats, by coaching how to mitigate them, and by providing critical security training to help improve their capabilities.
My topic is about application security, with focus specifically on mobile. Mobile apps are really mostly web application infrastructure. The industry has years of experience securing web applications but somehow we seem to oft forget what we’ve learned when it is time to launch a new platform. All the testing, integration of security into the application life cycle, credential and session management, all seem to go out the window when we want to get a hot new mobile app implemented. So, I will be providing my perspective on what are new threats posed by mobile apps (over web apps)? What are things we know we have to do but we aren’t? And, what are the new things that we should do in our development process, security architectures, and security monitoring? We have some opportunities to even do things better than we did with web apps, so listen in if you are interested.
One of the big differences in mobile vs desktops threats is that there is no specific virus or malware for mobile platforms. All malicious software threats are and stem from mobile apps, which are either pretending to be legitimate, are legitimate but were compromised at some point, or those that are outright bogus. In every case, the mobile user must consciously install the app, and associated malicious profile to cause them harm. There are currently no “drive-by-downloads,” or sneaky background process that spawns a Trojan when you open a PDF or something similar, like there is on desktop platforms. So really, if a user controls his behavior by only downloading apps from Apple or Google Play stores, or his company’s trusted company app store, he should be perfectly safe.
I read a very interesting mobile malware blog post last week. This is the half-year security report from Cheetah Mobile, found here. Never heard of Cheetah Mobile? That’s because they are the largest mobile Internet company in China, who also provides mobile AV to their customers. (So if some of you might not want to click the link now, I understand). But their insight is very good; they talk about the typical story of exponential rise in Android malware, but they correctly point out that the reason Asia has significantly more mobile malware issues than US, Europe, and Australia because where most users do (and can) get apps from the Google Play store. In Asia, especially China, most folks don’t get their apps from Google Play, but 3rd party app stores who “have very lax checks to ensure that applications do not contain viruses.” They indicate that in India and Vietnam roughly 3% and 3.65% (respectively) of all apps found on Android phones are malicious. China is not much better at 2.45%. The US is .68% for reference, which when you look at the enormous number of apps is a large figure. The most common and obvious malicious apps are the ones that make the victim pay for services, either in the app, or through SMS premium rate messaging.
Which brings me back to mobile application security. We have a responsibility as an industry to build secure mobile apps, to have a process to test not only our apps, but apps of our partners, or any other vendor who we want to implement into our environment, or for personal use. We’ve done this for over a decade in the web application space, and now web application testing is automated and cost effective exercise (not saying everyone does it, but they can). But let’s take a lesson from history and start looking more closely at the mobile app security lifecycle. I’ll go deeper into details in another post, but will talk about this topic on Thursday.
– Rick Doten, DMI Chief Information Security Officer (CISO)