Mobile App Testing

Will all the collective knowledge around web security, it’s a bit puzzling as to why mobile security is so far behind. Well, it might be puzzling to some, but not to DarkReading.com. Here’s writer Ericka Chickowski on why secure coding practices are thrown out the window when it comes to mobile apps.

Particularly scary to many security professionals is the fact that the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps.

“Rapid and Agile Development causes changes to happen in very short iterations, thus security gets overlooked and becomes a nice thing to do but rarely gets done. This happens at large corporations — look at Google Wallet and, even worse, startups,” says Tyler Rorabaugh, director of engineering at application security firm Cenzic. “When TechCrunch announces the hottest new startup of the day, week, month, almost every single one of those companies lack the secure coding practices and are rarely even concerned until something goes wrong. Most of the time they are not even aware of these issues.”

According to Rorabaugh, big mobile platform vendors like Apple and Google have only just now started to think about secure mobile coding and “have mainly been interested more in looking the other way.”

Read the rest >>>

This combines two of our favorite things here at MobileAppTesting.com – mobile apps AND security testing (or rather, proof of the lack thereof). From TechCrunch:

Lookout, a company that offers security services for a number of smartphone platforms, is debuting a new Android app that lets you see mobile threats as they are detected around the world. Launched from Lookout Labs, the new app basically visualizes what’s happening in the mobile landscape and also shares details on top weekly threats & distribution of malware vs. spyware. …

Lookout collects data from its Mobile Threat Network, a cloud-based network which constantly analyzes global threat data to identify and quickly block new threats with over-the-air app updates. The network includes more than one million apps and 15 million user devices worldwide.

With the Lookout Mobile Threat Tracker, you can now see the thousands of threats that Lookout identifies and catches every day via the network. Within the Mobile Threat Tracker you can quickly see the top three trending threats. For example, if you tap on the name in the app, you can learn more about each threat. …

Read more…

You’ve heard of eComm, now get ready for mHealth – mobile health. Apps geared toward helping people monitor and manage their health are expected to grow from $230 million in revenue in 2010 to $392 million by 2015, according to research by Frost & Sullivan. InformationWeek has the scoop:

Among those projected to download and use mobile health apps more frequently over the next few years are older Americans and their caregivers and patients with chronic conditions. The study notes that as the healthcare industry seeks to reduce costs, mobile health apps will become more prevalent. The aim of these tools is to better monitor patients’ health and prevent costly events such as hospital readmissions.

Furthermore, in a consumer-driven patient-centered healthcare model, patients are encouraged to play a greater role in tracking their health through mobile health apps that monitor vital information such as medication adherence, blood pressure, and glucose readings.

Read more…

Google Wallet encrypts credit card numbers but, according to analysts at viaForensics, not other personal data tied to those cards. Here’s what Out-Law.com has to say:

In its report, the digital forensics company said that Google Wallet only encrypts a user’s credit card number itself – leaving data including the cardholder’s name, transaction dates, the last four digits of credit card numbers, email address and account balances unprotected by encryption.

“While Google Wallet does a decent job securing your full credit card numbers… the amount of data that Google Wallet stores unencrypted on the device is significant. Many consumers would not find it acceptable if people knew their credit balance or limits,” the report said.

Google’s response (as far as I can tell from the article) was that the analysis by viaForensics was done on a rooted phone, not something your everyday user has.

Read more…

Giving leeway for the difficulty of a given project, you would more or less expect the quality of work done by a professional developer to be consistent – maybe even improve over the years as they gain more experience. Right? Well according to a study by application security company Veracode, apparently the quality of work also depends on the time of year. Check out this comment found on Slashdot:

“Data from application testing firm Veracode suggests that the quality of application code submitted for auditing is pretty much constant throughout the year — except for the months of October and November, when the average density of vulnerabilities in the code jumps considerably. But why? Is it the pressure of deadlines? The stress of developers’ lives (kids back to school, etc.)?”

The study was done by Veracode’s Director of Marketing, Fergal Glynn, who was curious to see if the density of security flaws in the applications they test were affected by yearly events (summer vacation? holiday stress? winter blues?). This is what he found (and how he found it):

Read more…

The brilliant bloggers over at uTest (wink, wink) have posted a great interview with security expert Richard Stiennon. Of the many topics discussed was that of mobile security (or lack thereof). Here’s what Richard had to say regarding the biggest mobile threat.

uTest: You’ve said before that mobile will not require its own anti-virus systems. That said, it seems that mobile threats are multiplying by the hour. In your view, what’s the biggest security challenge in terms of mobile?

RS: Apps, apps, apps. VPNs, firewalls, and carrier filtering are going to impede network based attacks. Containing and vetting applications is the biggest security challenge for the platform vendors.

Read the entire interview here >>>

Nerd wars escalate:

It’s no coincidence that during a week when dozens of malicious Android apps have been pulled from the Android Market, Microsoft is offering five Android malware victims a free Windows Phone 7 phone. The catch? You need to share your rage against Android with the Twitterverse.

Microsoft evangelist Ben Rudolph (@BenThePCGuy) tweeted Monday that he is giving away five Windows Phone 7 devices to those who tweet @BenThePCGuy with the best – and by best, I mean worst – stories of Android malware infection. Include #droidrage in your post.

With around 5 percent of the U.S. mobile market versus Android’s 45 percent market share, Microsoft’s latest antic smacks of David picking at Goliath. They’ve also been giving away WP7 devices throughout the year: this summer WP7 director Brandon Watson famously bet Dilbert creator Scott Adams $1,000 that he’d love WP more than iOS or Android; a month later Watson also offered free Windows Phone development kits and devices to webOS developers. During last month’s BlackBerry outage, Rudolph also gave away 25 Windows Phone devices to disgruntled Bberry users.

Read the rest >>>

This morning, Mike blogged about a story on TechCruch about the Windows Phone 7.5 security flaw that will allow hackers to remotely lock down the SMS Hub. But it turns out Microsoft is not alone. This morning reports about SMS security flaws in both iPhones and Androids also hit the digital news realm. Here’s a breakdown of all three issues:

Sophos’ Naked Security blog details the iPhone issue (and patch):

Apple has released an update to its iPhone operating system to protect against a vulnerability that could potentially allow criminals to hijack users’ phones with malicious intent.

The flaw, which relies upon hackers sending booby-trapped SMS messages to the intended victim, was demonstrated at the BlackHat conference in Las Vegas earlier this week. …

The good news is that it’s not believed that any hackers have yet exploited the vulnerability in a malicious attack. But clearly Apple realised that there was a genuine danger of cybercriminals using the exploit for their own ends.

Read more…

Mobile security has been at the top of everyone’s minds lately. First there where the reports about the glut of faulty antivirus software on Android phones, then there was the (ongoing) Carrier IQ issue. Now, Veracode (full disclosure: Veracode is a uTest partner) has released the fourth volume of its “State of Software Security” report … and it’s not looking great.

According to the report, eight out of 10 applications fail to meet new security standards. The “new” standards include a zero tolerance policy for XSS and SQL Injection errors. The study looked at both web and mobile apps and included Android apps in this volume. Volume 4 also upped the number of apps tested from 4,835 to 9,910. Here’s an excerpt from Business Computing World:

The latest State of Software Security Report Volume 4 results reveal XSS and SQL Injection are two of the most frequently exploited vulnerabilities, often providing a gateway to customer data and intellectual property. Eight out of 10 applications fail to meet acceptable levels of security, marking a significant decline from past reports.

The latest report captures data collected over the past 18 months from the analysis of 9,910 applications (compared to 4,835 applications in Volume 3) that were submitted to a cloud-based application security testing platform. The report examines the security quality of applications across a number of variables including supplier type, language and industry.

Read more…