Hard fought security lessons learned in the past decade of building websites are being forgotten as developers rush to create apps for smartphones. That was the warning Martin Ruks, technical director of MWR InfoSecurity, gave at Information Age’s recent Enterprise Security 2012 event.
Ruks focused on Android, Google’s mobile operating system, and revealed how many of the same vulnerabilities that have afflicted web applications for a decade now are beginning to crop up in Android applications.
“Web applications have long been plagued by SQL injection vulnerabilities, but we’re actually starting to address them now,” Ruks said. “There’s a lot of really good developers who understand how to mitigate SQL injection, and it’s starting to disappear as a vulnerability from the better web applications.
“But SQL injections are right at the top of the Android vulnerability list because the developers don’t understand them and they’re not being given any tools to protect against them.
“I can guarantee that if you’ve got an Android application which uses an SQL database, then some form of SQL injection is possible,” he said. “That includes the applications that the handset vendors are supplying.
“It’s an illustration of how the lessons we’ve spent the last 10 years learning are being rapidly thrown away by people diving into development on this platform without understanding the security implications.”
And it’s not just the Android operating system itself that has problems. Tools designed to make smartphones secure enough for businesses to use have also been shown to be insecure.
Ruks gives the example of a well-known mobile device management application that MWR found to be insecure. “[The software] is supposed to provide you with secure access to sensitive documents. It uses encryption and a sandbox that is supposed to keep all your data safe,” Ruks said. “It opens a file, does some translation, decrypts it using a key and stores an unencrypted copy on the phone.
“The problem is that it was actually providing that unencrypted copy remotely to any other applications, so any other applications on the phone can also see that attachment. That’s not a good sandbox.”
Ruks says he informed the provider of this flaw, but the company in question did nothing. Several weeks later, while carrying out vulnerability tests for one its customers that used the software, MWR found the same problems. This time, the customer alerted the vendor. “Guess what?” Ruks said. “Fixed within a couple of days.”
“To summarise all the mobile device management vendors at the moment, I’ll quote our head of research. He says: ‘The talent within the marketing departments of the MDM vendors far outweighs the talent of the security and development teams.'”