Dark heart of app development

Application security requires confronting the fact that apps are primarily mobile ?and the trend is strengthening.

Read time 4min 00sec

The first Industry Insight in this series argued that apps were the primary engine of the Internet economy, which is becoming more and more a mobile Internet economy.

All of this is making it harder to protect corporate data, and subsequent Industry Insights have explored some of the angles the CIO and his or her security team need to cover. One was the vulnerability created by our reliance on application program interfaces to enable what some are calling the "app economy".

This time around, I want to delve a little deeper into the security challenges raised by mobile apps.

The origin of the app, as opposed to the more staid application, lies in the mobile world. Apps were conceived as ways to get a business process or set of business processes done in the easiest possible way, taking into account the limited screen space, memory and processing power of the average smartphone. By far the majority of app development remains for the mobile user.

This isn't surprising because the mobile channel offers a new way to reach customers and business partners, and is uniquely the platform where big data meets social business; for example, a bank can use location services to "see" its customer walking up and down the aisle in which a retailer's laptops are displayed, and target him or her with a finance and insurance deal for electronics. Every business wants to, and must, learn how to play in this space, and apps are what make everything possible.

Apps are also critical in emerging markets like South Africa and the rest of Africa because the majority of users will only ever use the mobile channel to link into the digital economy. That's why these markets incubate new business models more and more frequently.

From the user point of view, it is clearly time to become a much more discerning consumer of apps.

One of the biggest areas of innovation in the mobile space is in the area of payments, where unbanked or barely banked people are ready users of solutions that allow them to move money back to rural homes or to make payments cheaply and easily ? using their mobile phones.

Honey attracts flies, not just bees...

Do I even need to say it? The potential for accessing other peoples' money lures many things out of the woodwork. Mobile apps are consequently a favourite target. There are three main ways in which hackers target mobile apps:

* Spoofing: This is when a hacker's app is designed to look like a genuine app. Sometimes these are spread via e-mail ("Download the new version of X Bank's app") or simply by putting it into an app store. The truth is that so many new apps are being loaded up into the popular app stores that it is not always possible for the store to verify each one's legitimacy.

* Information disclosure: A legitimate app downloaded from a reputable app store might just be very insecure in the way it is designed. It's relatively easy for a hacker or malicious app to break into the insecure app, effectively creating a backdoor into the mobile device, and thus those systems it can access ? the corporate system or the user's bank account.

* Weak trust model: The previous point shows the importance of developing apps with security in mind, as does this related issue. Here a legitimate app is able to gain access to more of the files stored on the device than it needs to fulfil its purpose ? thus any malicious app that hijacks it will be able to access everything on the mobile device, potentially.

The overwhelming conclusion here is that the development community needs to focus on integrating security into the way it develops apps, which is what I argued in my first Industry Insight in this series, Instant 'appification'.

From the user point of view, it is clearly also time to become a much more discerning consumer of apps. One way would be to phone into the company's call centre to verify the apps' authenticity.

And maybe there will need to be some of sort of verification that a trusted third party could confer on apps ? rather like the SABS logo works in other industries. Now there's a business opportunity for someone.

Next time, let's take a look at how to integrate security into the app development process.

Godfrey Kutumela
leader of the cyber crime and security division at IndigoCube.

Godfrey Kutumela has over 16 years’ experience in security consulting and engineering, having conducted high-end security consulting engagements, and designed and delivered technical solutions on three continents. Driven by his passion for securing online and mobile applications in this new era of the Internet of things, he made a strategic move to join the newly formed IBM Security Systems Division in 2012. His role at IBM was as leader and evangelist of IBM’s application security, security and threat intelligence portfolio for the Middle East and Africa market. Kutumela joined IndigoCube in June 2015 as the leader of the cyber crime and security division. His responsibilities include bringing application security integration practices to the local market and helping organisations protect their critical applications and generated data. He has also served as membership chair for the (ISC) 2 Gauteng Chapter since May 2015.

Have your say