Thursday, October 4, 2012

What's In your Android Security Toolkit, Part 4

This is the fourth in a series of posts focused on building an Android Security toolkit. So far we have looked at access control services and defensive coding, which are necessary for the Mobile app. but no Mobile app is an island.

Mobile apps can have lots of communication channels, such as SMS, NFC, and GPS. If used, each of these presents the enterprise a new set of challenges to deal with, protocols and threat models that the enterprise security team likely has not worked in depth with before.

On top of that, the Mobile app usually needs to connect back to the enterprise or Cloud via Web Services. Many enterprise mobile projects begin by saying something like "we have web apps and we have web services, this is nothing more than sticking that little sucker (the mobile client) as a new front end and we are done." Thinking that a mobile app is no different from supportin, say, Firefox is to miss the core of mobile. I have seen this repeatedly and it leads you down the wrong path.

Some of the differences include that mobile devices are ot connected per session (like a web app), they are occassionaly connected and those connections drop. This leads to caching and other usability enhancers. You can expect that a mobile middle tier (not just another front end on existing portals) will be required to manage optimizations and resolving sessions, cache and routes. On top of that, the enterprise is in a position of delivering not just data, but delivering code to the device. Its no longer a case of riding the rails of Chrome, IE or Firefox. The enterprise is now in the business of packaging, deploying and testing client software.

The communication between the Mobile app and the Mobile Web service requires layers of protection. Even the basics here, like access control, are fraught with challenges.

To navigate the Venn of Mobile Security, look outside the device. How will the device be manageed? How is access controlled when calling the Web services? What identity is used? How are the Web services protected? How is it authorized on the server side? These services are crucial to enabling the mobile app to work in a real enterprise deployment. The requirements are not all platform specific but they all create platform specific requriements for the Android developer to deal with. Think End to End.

Come join two leading experts, Gunnar Peterson and Ken van Wyk, for a Mobile App Security Training - hands on iOS and Android security, in San Jose, California, on November 5-7, 2012.

No comments:

Post a Comment