Software Security goes Mobile presented at OWASP AppSecAsiaPac 2012

by Jacob West,

Tags: Security

Summary : In the past decade, mobile devices have led one of the most rapid and widespread technology shifts since the advent of the computer. Studies show that users rely heavily on their mobile devices for a variety of tasksranging from shopping to scheduling doctors appointmentsthat would have previously taken them to a laptop or desktop. In the near future, smartphone sales will surpass both feature phone sales in North America and PC sales worldwide. With less than ten percent of the worlds population left uncovered by cellular signals, the rate of adoption shows no sign of slowing.
As societys reliance on mobile devices grows, so too does the risk posed by vulnerabilities in the software that drives them. In this talk we scrutinize the challenges involved in building secure mobile applications. Throughout, we call attention to differences and similarities between traditional software security assurance initiatives and those focused on mobile. We discuss how frequent reliance on outsourcing complicates security efforts and how the diversification of parties with an interest in mobile security makes assigning accountability for risks tenuous.
Despite lifecycle differences, many mobile applications are simply new clients backed by existing web applications or services and are therefore subject to the same threats theyve always faced. We review old threats in the new mobile context and go on to discuss threats unique to the mobile landscape, including: attacks against client-side data persistence, MMS, or GPS; malicious inter-application communication; problems with new security features, such as confusing permission models. We conclude the talk with a frank assessment of what software development organizations can do to take control and avoid being the weakest link in the chain of mobile security.