Sunday, 12 June 2016

Mobile app security checking in two parts with a lyrical afterword (Part II)

Part two: Attack Surface




So, we finally got a list with possible security issues.


What should we do next?


Definitely, we need someone who would examine this list:
  • To separate real issues from false positives;


Remark: What can be a false positive in our case? For example, Ignore SSL Certificate Error. It does not matter if the issue is found for, let’s say, a graphical redactor and does matter if it’s listed for a bank client app.
  • To perform necessary tests which cannot be done automatically (see the part one);
  • To localize vulnerabilities (it could be that there are some troubles with third party components);
  • To determine vectors of the most possible attacks (see Lyrical Afterword (it’s coming soon));
  • To compose a plan (recommendations) on how to improve security of the analyzed app.


Who can do it? What is the first thing that comes to your mind? Developers or QA guys which have been working on this app? Sure, that’s logical. It seems that they know the app best, doesn’t it? Unfortunately, they are not good at this type of tasks. Why?

There is a vulnerability in you app.
Agh.... that’s true. But it’s not in our app, it’s in a lib which we use in our app...



You may check this drammatic story about AFNetworking library.


Sometimes developers cannot even think that some things can be used maliously (there is an example of such a story).


Software devs are good at app creating, QA folks are good at app testing. Those who we want are specialists from information security field. They have an unusual vision of how an innocent (at first glance) app can be used in malicious ways. It is exactly what is needed. You may read this sad post with juicy details.


IT security guys are hackers but they are on our side of barricades. They have specific knowledge and specific mind set, which allows them to determine the most possible and profitable ways of invasion (attack surface) and they know how to improve app security. They work in IT security day by day and are very familiar with current security trends (you cannot expect that from devs, since they need to think of security twice in a year).


Large companies or companies offering IT security services may afford a full time security specialist or even a team of security specialists. In general, there is no need to have a security guy in your staff, since IT security expertise or advice is needed from time to time (for example, prior a new app release or a new release of an existing app). Analogy with physicians works well here. It’s good to be informed regarding your health and follow medical recommendations. Should you live in a hospital for it? When you need it, you consult with a specialist and follow his/her recommendations.

It is very common to drop security part during first stages of development. Neglect of security in general may cost a lot.


(Lyric afterword is coming soon)


15 comments:

  1. I truly appreciate this post. I’ve been looking all over for this! Thank goodness I found it on Bing. You have made my day! Thanks again! Keep update more excellent posts..

    Digital marketing company in Chennai

    ReplyDelete


  2. Truly a very good article on how to handle the future technology. After reading your post,thanks for taking the time to discuss this, I feel happy about and I love learning more about this topic.


    SEO Company in Chennai

    ReplyDelete

  3. That is very interesting; you are a very skilled blogger. I have shared your website in my social networks!

    SAP Training in Chennai

    ReplyDelete
  4. I truly appreciate this post. I’ve been looking all over for this! Thank goodness I found it on Bing. You have made my day! Thanks again! Keep update more excellent posts..

    Corporate Training in Chennai

    ReplyDelete
  5. Really nice and definitely it will be useful for many people. Kindly keep update like this.

    Email Marketing Chennai

    ReplyDelete
  6. Great information shared in this blog. Helps in gaining concepts about new information and concepts.Awsome information provided.Very useful for the beginners.
    SEO company in Chennai

    ReplyDelete
  7. The game controls are shown just under . Movement mechanisms primarily include acceleration and tilting controls.
    five nights at freddy's 2 | five nights at freddy's 4 |
    fireboy and watergirl 2 | 2048 game | red ball 5 | age of war

    ReplyDelete
  8. wow amazing post.The key points you mentioned here related to maintenance of car is really awesome.Checking all fluid levels,changing oil and of course the regular service of the car which is necessary to maintain our vehicle.Thank you for the information.

    bike spa services in mumbai

    ReplyDelete

  9. Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write.
    Thanks for sharing !
    five night at freddys 2 | five night at freddys 4 |
    2048 game online| fireboy and watergirl | tanki online 3

    ReplyDelete

  10. This blog explains the details about what happened after the expressions. This gives the details of the thinking next what to do. All that are discussed and provide a grateful talk.
    Back to original

    ReplyDelete
  11. Very Informative article with huge information our heartful thanks to the trainer who have shared this article regarding theses training.
    SAP QM Training in Chennai
    SAP SCM Training in Chennai

    ReplyDelete