Thursday, October 27, 2011

Securing Mobile Data at the Application Layer

Most mobile device applications have serious security vulnerabilities.  These flaws include the storage and transmission of unencrypted data, poor session handling, and data leakage.  McAfee addresses many of the management and compliance challenges through its Mobile Security Strategy.

The Open Web Application Security Project (OWASP) Mobile Security Project focuses on the security of the applications that enrich the mobile device user experience.  According to its contributors, it “is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.”

Following in the theme on the OWASP Top 10 web application risks, the project focuses on the top ten mobile risks.  This series will launch with a discussion of risk number one – Insecure Data Storage.  The controls recommend to mitigate these risks include encryption, data classification, session management, and data leakage.  Gartner’s analysis of upcoming mobile application trends highlights the need for a rigorous Secure Software Development Lifecycle (SSDLC).  These include financial, location-based services, and mobile health monitoring.

Data Classification
OWASP recommends that processing, storage and transmission of data should be consistent with its classification.  Developers should consider data sensitivity when creating data models from which information will be queried and processed.  They should also communicate with business stakeholders to identify the stages where data classification changes.  The University of Florida has composed a mobile device data classification policy covering OWASP’s recommendations.

Access Control
The increased usage of mobile devices to access financial content, such as online banking and credit card management sites, makes a compelling case for strong access controls.  According to a study performed by Stephen Perlson and Reinhardt Botha, there are three key security services that developers should address.

- Authentication – the application must confirm the claimed identity.
- Confidentiality – the application does not disclose information erroneously.  OWASP advises that applications be programmed to collect and disclose only the data that is required for business use.
- Integrity – the application attempts to mitigate the risk of data corruption.

Encryption
Consider the data exposed to the applications on your smart phone; information on your contacts, credentials to email accounts, and possibly credentials to financial sites, just to name a few.  A survey of 100 consumer mobile applications conducted by ViaForensics found that 76% of apps stored unencrypted user credentials.  The survey also found that private data could be recovered from 60% of these applications.  The risk of credential sniffing or session hijacking is enhanced for those users who retain active sessions with a website.

OWASP recommends that data stored or transmitted from the mobile device be encrypted.  The choice of encryption solution will vary depending on the enterprise requirements.  In any case, developers should design code that does not store/cache sensitive unencrypted data.  All sensitive data should be transmitted to a server via a secure network connection and deleted from the mobile device.  Sensitive data should be stored in an encrypted form if network connectivity is unavailable.

Data Purging 
Data retention extends beyond its familiar consideration in the handling of data outside of software applications.  OWASP warns that applications retaining data beyond the period required for processing increases the chance of data leakage.  It advises that developers destroy sensitive data such as GPS coordinates or financial data once an application utilizes it.  Additionally, all data that exceeds a specified retention period should be deleted.

The Kill Switch
According to a study by the Department of Health and Human Services, over 116 cases of mobile device loss or theft led to the exposure of at least 500 patient records between September 2009 and May 2011.  This is but one case where applications lacked access to the common API that allows the deletion of data or disabling of the device remotely.  OWASP recommends that this API is accessible by all applications that store or process data on the device.

The next installment in this series will discuss the management of user credentials on mobile devices.  Some of the controls will include the use of authorization tokens and the limitations on SMS as a communication channel.  This installment will also cite the common tools used to exploit poorly secured mobile devices.


By: Steven Fox