Mobile devices are the subject of many security discussions, but it's often mobile applications that serve as attack vectors.
Bad data storage practices, malware, sideloading and lack of encryption all contribute
Bad data storage practices
One of the top reasons why mobile application vulnerabilities exist is because inexperienced programmers have bad data storage habits. Databases such as SQLite make it easy to store compact data on a local device, but programmers can still store that data in clear text or in the XML format, which is a readable, plain-text file that makes it easy to gain access to an app's data.
All it takes to access the data stored on an unlocked smartphone running a poorly written app is a simple extraction of the file attached to the mobile application, then a query. This action can tell you anything you want to know about the data stored in that app, which is especially troublesome if the database connects to a back end system. Because of these mobile application vulnerabilities, sensitive data should be encrypted at the device level, and external connections should be encrypted as well.
Android mobile application vulnerabilities have become a problem in part because of Google Play's open format, but also because users can sideload apps, removing any oversight regarding the safety of apps. Google has deployed Google Bouncer in response to malware, but Google Play still isn't fully protected from malware-laden apps. Malicious mobile application developers break up malware into pieces to avoid detection, and developers use the names of popular apps to entice users into downloading the malware.
More on mobile application vulnerabilities
Open Web Application Security Project's top 10 vulnerability list
An expert assesses Web application vulnerabilities
App vulnerability scanners -- the new must-have
There are also inconsistent updates and patches to the Android operating system. You can't count on Android to update itself in a timely manner, because wireless carriers control update schedules on all but Google's Nexus devices. That makes it more difficult for Android devices to stay up-to-date with protection against vulnerabilities.
Anti-malware apps, which can protect against mobile application vulnerabilities, are available in free and paid enterprise-class versions. You should make it a requirement that employees have some sort of anti-malware on their Android devices. Unfortunately, Android anti-malware apps don't get the system-level access they would in Windows, so the sandbox they operate in makes for limited success in malware blocking.
The best thing you can do to protect against Android mobile application vulnerabilities and malware is to educate users about access permissions after installing a mobile application. User approval is required before any app can access other data or apps on an Android device. Just as you train users not to open strange email attachments, they should be equally cautious with requests from apps to access data they shouldn't need access to.
Mobile application vulnerabilities are not limited to Android apps. A mobile application called Path, for example, offered a new way to socialize with friends and was hailed for its great user interface. Then someone sniffing the network activity of the app revealed that Path uploaded entire contact lists to its servers. It did not ask permission to do so in the iOS version of the app. Path had to apologize for unauthorized storage of users' personal data.
Many users are unaware of how valuable their contact data is, and applications' terms and conditions often hide the truth about personal data access. What Path did was an example of overzealous developers trying to provide a better user experience, but a less ethical app developer could use the same contacts data for spam, marketing or even malicious attacks.
Lack of encryption
Applications that don't use encryption can cause problems as well. LinkedIn's mobile application, for example, transferred local calendar data to LinkedIn servers when the site rolled out a new calendar integration feature. All of that data was transferred in clear text over the network and via the Internet, so it was open to anyone looking for the data. A similar incident also happened with contact data in LinkedIn's mobile application.
The hope is that mobile application developers will use common encryption frameworks to protect users' data, but nothing is guaranteed. And it is almost impossible to find out those details without transparency from the app developer or a full analysis of the app.
Data leaks from syncing
In applications where users sync data to the cloud, data leaks are the concern. Dropbox suffered a password breach that exposed many user accounts to a hacker. Luckily, it only resulted in those users receiving some spam. But other applications take advantage of Dropbox application programming interfaces to sync data between devices and even other services. A user could expose data to a security issue on Dropbox without being fully aware. You can't control a vendor's protection mechanisms, even if the company's published security policies comply with best practices. In the event of a security breach or a password issue, these services rely on verification through email. A reset link to a webmail account such as Gmail or Hotmail is hardly secure in most enterprise environments, and when they get hacked, the security of the synced data is compromised.
Ensure users don't have the same password for every app or service. Make sure they follow the one site, one password rule to limit mobile application vulnerabilities. If possible, discourage users from storing sensitive work data in these cloud services that IT does not control. Roll out an enterprise-ready system complete with local controls.
This was first published in November 2012