Mobile App Development is on the Rise, these Mobile applications often referred to as apps, provide much-needed convenience and functionality for today’s workforce. Developers across every industry vertical have created mobile applications for various uses and business requirement, which is contributing to the proliferation of modern mobile devices.
However, the ease with which these applications are developed can potentially permit attack vectors for cybercriminals. Nearly every banking institution has developed apps for customers to have access to account balances, pay bills, transfer funds, and locate banking centers. However, banks are no longer the only organizations developing apps containing personal information.
We have seen an increase in mobile app development within the healthcare, insurance, and retail industries as well. As the need for mobile applications continues to rise, it is imperative these applications are reviewed both internally and by a proven third-party vendor to ensure mobile worms, malware, and other potential vulnerabilities are removed prior to becoming publicly accessible.
As the volume of applications continues to rise, it will prove difficult to maintain high confidence in the mobile vendors alone to ensure the integrity of the applications it makes available. The validation and approval process for mobile applications varies by vendor. The following table provides a brief description of the policies of some of the more popular vendors.
|Vendor||Application Store||Application Development Policy|
|Apple||App Store||Apple requires developers to enroll in the iPhone Developer Program. Every application submitted to the App Store is evaluated by at least two reviewers for bugs, instabilities, unauthorized content, and other violations|
|Android Marketplace||No requirements exist for publishing applications in the Android Marketplace. Once developers register, they have complete control over when and how they make their applications available to users|
|Microsoft||Windows Marketplace for Mobile||Developers must register with Windows Marketplace for Mobile. All applications sold on Windows Marketplace for Mobile must meet technical standards, be code signed, and pass policy checking and geographic market validation before they can be certified|
|RIM||Blackberry App World||Developers must create a vendor account to submit applications to the Blackberry App World. RIM reviews all submitted applications for content suitability and performs technical testing to ensure applications abide by the Blackberry App World Vendor Guidelines|
|Symbian||Horizon||Symbian Horizon is a publishing program and directory of Symbian Signed applications. To publish applications here, developers must obtain a Publisher ID and run the full Symbian Signed Test Criteria on applications before they can be made publicly available.|
These vendor requirements alone are not enough to ensure the appropriate protection of personal or commercial data within an application. SMS, MMS, Bluetooth, and the synchronization between computers and mobile devices are all examples of potential attack vectors that extend the capabilities of malicious activities. Inherent vulnerabilities exist in modern mobile device operating systems that are similar to those of PCs and may provide additional exploitation opportunities.
Proper risk evaluation in a mature software security process should include the following security testing at the latter stages of development, QA, and Production:
At Praetorian Secure, we support the secure code development process for all applications (mobile or otherwise) and ensure our clients are made fully aware of all potential threats encountered during the development process. With the use of sophisticated code inspection tools and our extensive experience we can ensure the mobile applications being developed for business efficiency, are also maintain the confidentiality, integrity, and availability it was intended for.