I am frequently in the presence of individuals involved in development for mobile platforms. It is still common for one or another of them to describe their journey as unique in the history of development — untethered from all legacy ideas and constraints.
While real mobility has enabled new business use cases, it has not freed those involved in creating or acquiring software from their obligations to deliver and maintain risk-appropriate products and services. This is especially true for those supporting financial services. Successful application security service providers tend to understand this. For example, Trustwave.
Charles Henderson, Director of Application Security Services at Trustwave, wrote a piece for Forbes that describes how that attitude can negatively impact mobile apps and the security of their users.
His thesis is that “the rush of companies and developers into the mobile software market has led to shortcuts that have repeated many security problems already solved in older technology platforms. Mobile has been fraught with issues of caching sensitive data, incomplete encryption and simple mistakes in coding.” He added that these devices are so portable that physical security concerns pose a new and material risk.
In misguided attempts to deliver what is often a friendly user experience mobile app developers will cache sensitive data. At Trustwave they have discovered apps caching, “for example, your online banking username and password, checking routing and account number, account history and so on.”
Henderson write that “Trustwave recently tested an otherwise secure banking application that wrote full debit card data, including card numbers, expiration dates and security code, to the phone’s log file in plain text.”
He also shared that some apps encrypt card numbers only while at rest on mobile devices, allowing “malware on the device to intercept the card number before it is encrypted.”
Mobile app development does not exist outside history and convention. Mobile app developers can, and must, learn from existing, hard won secure software practices.
“Is Your Mobile App Safe?” by Charles Henderson, 02-15-2013; http://www.forbes.com/sites/ciocentral/2013/02/15/is-your-mobile-app-safe/