Most security experts might argue that server-side security falls outside of the area of mobile application security threats, but OWASP rates weak server-side controls as the most important mobile security threat. Till last year, it was the second most important mobile security threat. As per the latest OWASP Top 10 Mobile report, Weak Server Side Controls is the most exploited security threat in mobile applications. Most mobile enterprise applications that are really useful rely on some sort of back-end services, and that is why this is equally important.
What is Weak Server Side Controls?
Weak Server Side Controls include almost everything that a mobile application can do badly that does not take place on the phone. Now, you would probably say that is why we have a OWASP Top 10 Web Project as well. Yes, we do but the fact that they rely on a connection with the server makes enterprise mobile applications similar in nature to traditional client/server applications. However, that is not the problem. The problem is that mobile developers often do not always take traditional server-side security considerations into account. To add to that, while most of the threats are fairly similar, the abilities of attackers to manage and get control of a mobile device is very different from what it is on the web.
Experience suggests that several factors have lead to a proliferation of server-side vulnerabilities. These factors include:
- Rush to market;
- Lack of security knowledge because of the new-ness of the languages;
- Easy access to frameworks that don’t prioritize security;
- Higher than average outsourced development;
- Lower security budgets for mobile applications;
- Assumption that the mobile OS takes full responsibility for security; and
- Weakness due to cross-platform development and compilation.
How to Prevent Weak Server Side Controls?
The fact is that mobile application security is still in its infancy. Just like teh web, first comes the technology, and then comes the security. But there are certain things organizations can do to ensure more security and make sure they are ahead in terms of innovation.
1. Scan Your Applications
This is one of the most important things to do for a variety of reasons. First, it is very easy to implement. When you do not have a strong security practice in place, this is the best place to start as you will get a glimpse of where you stand before trying to do anything else. Second, an automated scanner can showcase many vulnerabilities that you might have in a very short amount of time and most of these are also very affordable, considering the loss you might have in case you have a vulnerability that is publicly disclosed. Third, security experts have greater depth of knowledge and experience pertaining to security. It is difficult, rather unnecessary, for all organizations to build such great security teams and infrastructure.
2. Get a Detailed Manual Assessment
Many automated security scanners report a lot of vulnerabilities which also includes some false positives and false negatives. That's when some human intervention is good. Good thing is, at Appknox, we have this inbuilt and we assure 0% false positives and false negatives.
The manual assessment will help in separating signal from noise. In simple words, you will get to know what you need to look at and what you can avoid. So, you can understand what threats are low importance and what are high.
3. Use Secure Coding Development Lifecycle (SDLC)
There are several approaches that help you protect mobile application vulnerabilities like Mobile Device Management (MDM), Mobile Application Management (MAM), Mobile Information Management (MIM), etc. However, the only best solution is to ensure you fix the issues in the code itself. While this might seem too much of an effort, it will help you in the long run. While it might take long in implementing secure coding practices, this is what will help protect you against the worst of attacks.
Simply put, security is something you need to take care of every single day. It is not a one-off thing. It has to be baked into your process and should not be a brush on the top.