LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad

Recent Posts

Categories

Subscribe to this blog's feed

Archives

Add me to your TypePad People list
Denim Group



Programming Blogs - Blog Catalog Blog Directory

September 03, 2008

Top 5 iPhone Application Security Risks

By Dan Cornell

Img_2084

[See this post on Smart Phones Dumb Apps for updated iPhone and Android security information along with presentation slides and sample code.]

Everyebody (myself included) is all excited about the iPhone.  ActiveSync connectivity to Exchange makes it a viable option for Enterprise users and the AppStore opens up all sorts of possibilities to extend the device's capabilities.  However, organizations looking to deploye iPhone apps should take a few things into consideration:

  1. The iPhone is a new device that will host sensitive information.  iPhones can be lost and stolen.  How much of your data is going to be sitting unencrypted on the device when that happens?  It is true that the iPhone SDK has a number of built-in cryptographic routines and that is great.  However when we've looked at the use of crypto in other mobile environments (commercial applications for Windows Mobile in particular) we have found that things like key storage and proper use of algorithms are sorely lacking.  I don't expect this will change for iPhone developers who are not specifically looking into security.  A recently-discovered bug allows attackers to bypass the phone keypad lock and view sensitve information like web history and contacts.  Expect more issues like this to surface and be careful what you store on your iPhones.
  2. This is a new platform and is not terribly open - many risks are still unknown.  We've posted here before about Apple's application kill switch. What else is going on under the hood?  What data is Apple slurping off iPhone devices and sending back for their analysis?  The Independent Security Evaluators folks made an excellent observation that the security features associated with iPhone applications are more geared toward protecting Apple's revenue model rather than protecting developers and users of applications.  The iPhone is a classic example of technology being deployed first and then secured later.
  3. The application development environment is C/C++/Objective-C based which re-opens the danger of buffer overflows.  At least J2ME and mobile .NET environments try to provide some protections against this traditional software security bugbear.  The iPhone development environment is a big step back if you want to avoid remote code execution flaws.  And everyone wants to avoid remote code execution flaws, right?  Issues with Apple's own Safari browser have already been documented and if organizations are developing their own applications they should expect more of the same.
  4. Applications are often a combination of native applications and web applications, opening the possibility of Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF).  One iPhone developer I talked to said that the only way they were able to have their application ready by the iPhone 2.0 launch date was to use web controls and re-purpose a lot of web-based code they had running a similar application and incorporate it into their app with embedded web controls.  Being able to re-use existing functionality is great for productivity, but creating hybrid web/native applications re-opens the possibility for web-only attacks like XSS and CSRF.  Combine that with buffer overflows and you have the worst of both worlds.
  5. The attack surface of the device is variable.  Between WiFi, bluetooth, 3G, and Edge wireless how do you know what can find your device at any given time?  With the built-in GPS and location services who knows who your device is telling about your location at any given time?  The iPhone is a very cool device because you can do a lot of stuff with it.  Security-minded organizations are going to ask what they should be doing with it.

iPhones are certainly cool and with new features like ActiveSync integration for Exchange they are going to increasingly penetrate enterprise environments.  However it is important that organizations understand the security risks associated with rolling out iPhones and running custom iPhone applications.

So what can be done?

  1. Think about the information you are going to deploy to your iPhone devices and use the available cryptographic routines to protect data while it is at rest on the device.
  2. This one you mostly just have to live with for a while unless Apple decides to open up or until the platform has been through more testing.  The important thing is to make decisions with eyes open and understand the risks.
  3. Train your developers in secure coding techniques to avoid buffer overflows and other issues plaguing C-based applications and use well-tested libraries to help reduce the risk of buffer overflows in your application code.
  4. Use threat modeling to know what data sources your application is using.  Train your developers to properly validate incoming inputs and to escape application outputs.
  5. Have users turn off features they don't need.  Not using WiFi?  Turn it off.  Not using bluetooth?  Turn it off too.  Entice your users to do this with promises of extended battery life.

I love my new iPhone, but I don't harbor many illusions about the risks it poses.

Contact us to talk about building security in to your iPhone applications.

--Dan
@danielcornell
dan _at_ denimgroup.com

September 03, 2008 in Dan Cornell, Denim Group, Information Security, iPhone, Security, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 12, 2008

Apple Can Disable iPhone Apps Remotely?

By Dan Cornell

Peoplewithbeluga

I saw an article on Engadget indicating that Apple may have the ability to remotely disable iPhone applications.  I saw a similar article on MacRumors a couple of days ago.

We have done some development for mobile devices in the past - specifically with Windows Mobile.  One of the big issues we saw with organizations trying to deploy Windows Mobile applications is that they were caught in a "dead zone" between the software platform provider (Microsoft), the device maker (Samsung, HTC, etc) and the network provider (T-Mobile, AT&T, etc).  Whenever anything went wrong everyone could just point at other providers in the chain and act like nothing was their fault.

One of the interesting things about Apple iPhone is that these three components are all provided the same way for everyone (in the US at least).  Apple provides the software and hardware, and AT&T provides the network.  That is good for application developers because it makes it more reasonable to expect that your applications are going to work the same wherever you deploy them.  Same hardware.  Same software platform.  Same network.

However another issue we had developing enterprise Windows Mobile applications was that the enterprise management tools were still developing - it was tricky to automatically provision and de-provision devices, applications, settings, etc.  It looks like iPhone applications can be automatically de-provisioned - the only problem is that Apple is the organization pulling the strings rather than an enterprise's IT department.

To paraphrase and somewhat mangle the words of Bruce Schneier: "When people say 'security' what they really mean is 'control.'"

Contact us for more information about building security in to your iPhone applications.

--Dan
@danielcornell
dan _at_ denimgroup.com

August 12, 2008 in Dan Cornell, Denim Group, Information Security, iPhone, Microsoft, Pro Services Life, Security, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 05, 2008

Denim Group Mentioned in an Article About iPhone Adoption

By Dan Cornell

Alan Weinkrantz gave us a mention in his most recent article in the Express News.

--Dan
dan _at_ denimgroup.com

August 05, 2008 in Dan Cornell, Denim Group, iPhone, Pro Services Life, Web/Tech | | Comments (0) | TrackBack (0)