Previously at Appknox we got a chance to interview cybersecurity and Infosec expert Rob Fuller where he laid emphasis on enterprise security as a whole. This time, Felix Matenaar spoke to Appknox and he sheds light on his experience with penetration testing on mobile apps and how much the end consumers need to be aware.
Security should be part of every product's acceptance criteria - Felix Matenaar
Felix is an Infosec expert who worked previously with VeraHQ and BlueBox Security as a Lead Security Engineer and Mobile Security Researcher respectively.
As you might know, Appknox helps businesses detect and resolve security issues using a human plus system approach that ensures we go through all the necessary layers in a mobile app - network, file, memory, etc. We also got some time to discuss that with Felix, and I am sure his inputs will provide value to not just us, but many businesses. Here are a few questions we asked him:
Q. Most businesses today are testing mobile as a platform for growth and retention. Often, the focus is on experience in terms of UI and UX. We’ve seen developers take a lax attitude toward security unless pushed by an Infosec expert from the top. How can developers be made more proactive towards security while they build applications? Do you think this should be a basic sanity check?
I believe that security should be part of every product's acceptance criteria. That is, of course, to first and foremost protect the customer but it may as well be mission critical for the vendor. Breaches happen, and the cost in mitigations, lawsuits or brand popularity is always unpredictable. That said, security requirements vary from product to product. Still, there is a minimal baseline in security that every mobile app should meet. For example, consider Transport Security: I think there is no excuse for any mobile app in the year 2016 to send data over the network without encryption. That's why I like to see policies like "Apple Transport Security." It is a simple set of rules applied by security as default to any application. If required, developers can still work around ATS, but that is a conscious decision for which the vendor then takes responsibility.
Q. There are so many ways to conduct the security assessment of mobile applications. Considering this is a relatively nascent area compared to the web, what methods can enterprises focus on?
Priorities in order:
1. Segregation of Client (Mobile App) and Server (Platform)
2. Transport Security
3. Data at rest protection
Segregation of Client (Mobile App) and Server (Platform)
What almost everyone knows to be a standard in secure web development holds even more for the mobile space.
Confidentiality, authenticity, and integrity of data sent over the network.
Data at rest protection
Even though current mobile operating systems have data at rest protection on a block device level, consider additional authentication in the mobile app depending on the degree of security needed.
Q. It is a proven fact that bigger the brand, more are the chances for hackers to infiltrate. Do consumers need to be aware of the security team and any Infosec expert behind the brand they are so loyal with?
Security is just one of many product properties that a consumer expects to be delivered without explicitly being marketed. The same goes for performance, reliability and many other non-functional requirements. It would be too much to ask the consumer to be aware of the site reliability engineering team that is providing access to the service because we just take it as a given that a vendor is responsible for having his service/product available as promised. The same should hold for security. No shifting of responsibilities to the consumer.
Security is one such property that a consumer always expects to be delivered - Felix Matenaar
Q. What advice would you like to give to enterprises, companies, and developers to keep their mobile applications more secure?
Hire or contract with security experts who can come up with a list of security requirements for given product or service. Particularly for smaller businesses, it is usually not necessary to have a dedicated security expert on each development team. An experienced security engineer should be able to understand mobile as well as platform components and come up with security requirements that a product manager can understand. From then it is mostly an implementation question. While some domains require security expertise like storing passwords or authenticating users, many developers know how to fix vulnerabilities in their development environment. If not, you should invest in secure software development training. Also, I want to mention explicitly that this puts operational security aside because that is a whole different topic.
Q: People might want to reach out, follow you and interact with you. What is the best medium to get in touch with you (email, Twitter, Facebook, LinkedIn, etc.)
People can reach me at email@example.com
Disclaimer : The above answers reflect Cybersecurity and Infosec expert Felix Matenaar’s personal views and opinions and not necessarily align with the views and opinions of any other Cybersecurity or Infosec expert or Felix Matenaar’s colleague(s).