CYBR 650 Week 5
Mobile App Back Ends and Security
Millions of sensitive
records exposed by mobile apps leaking back-end
Credentials (Constantin, L., ComputerWorld, 2015)
With evolving medical apps to mobile platform introduces
the challenge of malicious attackers exploiting vulnerabilities in an unsecure
back-end of mobile apps. Protecting codes on mobile apps, no doubt, possess no serious
challenge to the information security profession. But, being able to provide
such security in back-end apps coding has not been as successful. This security
failure has resulted in mobile app compromises of “easy-to-fix server security
failures” (Zumerle, D., O’Neil, M., & Wong, J., 2016).
In a study conducted on apps using BaaS (Backend-as-a-Service) by researchers from
Technical University along with Fraunhofer Institute for Secure Information
Technology in Darmstadt, Germany, it was observed that cloud services providers
like CloudMine, Amazon Web Services or Facebook Parse included their primary
BaaS access keys inside their apps. This poses security challenges as mobile
apps can be “reverse-engineered to extract such credentials and access their back-ends”
housing millions of data in the data base server (Constantin, L.,
ComputerWorld, 2015). Another
interesting challenge for back-end security is the involvement of mobile apps
with “API-based (Application Programming Interface-based) interactions and back
end systems and third parties” (Zumerle, D., O’Neil, M., & Wong, J., 2016).
This interrelationship makes it even harder to identify and eliminate
vulnerabilities.
How
can the challenges of back-end security for mobile apps be addressed?
§ Is to integrate security in SDL threat model before,
during, or even after the app have been developed.
§ Conduct penetration (app security) investigation to expose
weaknesses in the app.
§ Deploy threat detection tools and enable encryption,
integrity protection and
authentication.
§ For back-end API’s, use least privilege to lock down mobile
apps.
§ It’s good to use security checklists, and guidelines to
ensure compliance to
standards and best practices.
§ Implement effective controls for application-level and
network anomaly. For
internet-facing or consumer-facing web and some other applications,
establish user-level and behavior anomaly detection control systems (Zumerle,
D., O’Neil, M., & Wong, J., 2016).
Having a secure coding for back-end apps does not guarantee
security, if IT administrators, staff and the security team does not implement
good security basics. In a research conducted by Appthority, a mobile security
company, it was discovered that more than a thousand apps exposed data because
of lack of security controls on the back-end servers that housed 43 TB of user
data and analytic tools used in mining and analyzing data that was collected. What
was the security gap? There were no firewalls, does not require authentication,
and stands the risk of public access via internet. The critical resources in
question included, “PII (personally identifiable information), passwords,
location, travel and payment details, corporate profile data (emails and phone
numbers), and retail customer data” (Rashid, F. CSO, 2017). There had been multiple
cases of unauthorized access, phishing, and ransomware.
References
Constantin,
L. Millions of sensitive records exposed by mobile apps leaking back-end
credentials. ComputerWorld. (2015-16-11). Retrieved (2017-8-7)
from http://www.computerworld.com/article/3005462/security/millions-of-sensitive-records-exposed-by-mobile-apps-leaking-back-end-credentials.html
Zumerle,
D., O’Neil, M., & Wong, J. Securing Mobile App. Gartner. (2016-15-11).
Retrieved (2017-8-7) from https://www.gartner.com/document/3514417?ref=solrAll&refval=187158430&qid=e6adf5f8c66bfd21cf321d9b9eaf6417
Rashid, F. Mobile app developers: Make sure
your back end is covered. CSO, (2017-
12-6). Retrieved (2017-8-7) from http://www.csoonline.com/article/3200367/application-security/mobile-app-developers-make-sure-your-back-end-is-covered.html
No comments:
Post a Comment