NIST released thier publication Vetting the Security of Mobile Applications (SP 800-163) in January as a high-level guide for organizations creating secure mobile applications.
I’ve spent some time with the document and it does an excellent job outlining why mobile application security must be vetted at an organization. However, the publication’s misses the mark in two very important areas: manual testing and server side controls.
Manual Testing - Still a Fundamental RequirementThe NIST publication focuses almost completely on automation while undervaluing manual testing as too time consuming and costly.
Automation is tremendously important. Real-time vulnerability detection and data collection are a key part of any software assurance program.
But comprehensive “Full Stack” testing of mobile applications, including manual testing, is imperative. Simply running a scanner (static or dynamic) against a mobile client will lead to undetected vulnerabilities.
I could list pages of examples where only manual testing exposed a significant vulnerability.
For example, static analyzers cannot:
- Test the security strength of the mobile application’s authentication if the authentication is performed on the server side.
- Test the authorization controls of mobile application. For instance, a specific type of user may only be able to see certain mobile screens or buttons or invoke certain functionality. A static tool will not be able to tell the difference between users.
- Judge the sensitivity of data and how it is handled, stored, leaked – at least, not without significant configuration.
Server Side Controls Cannot Be Ignored
Treat every mobile device as if it is compromised.
Let me say it again, a bit louder. Treat every mobile device as if it is compromised.
This may sound extreme, but it is the unfortunate reality. Jailbreaking and rooting is commonplace – for users, hackers, and security researchers. Organizations cannot rely solely on client-side security controls to protect our sensitive business data or Personally Identifiable Information (PII).
NIST’s SP 800-163 only addresses half of the problem with its focus on client-side testing. Security controls must be enforced on both the mobile client application (for user experience) and any backend infrastructure the application uses.
Examples of important controls you should perform on the server side are:
- Authentication (account level)
- Access Control
- Injection Protections (input validation, encoding, etc.)
- Session Management
Complete the Puzzle
NIST’s SP 800-163 document gets a lot right. Automation and tools are a vital part of the software assurance puzzle and their processes for securing the client-side of a mobile app are a great beginning.
However, your mobile application security plan needs to go further. Examine your critical business security areas and verify your applications according to the OWASP Top Ten Mobile Risks and Controls with a multi-faceted approach that includes manual reviews and testing of server side controls.
Don’t leave the puzzle half finished. Your clients and data are too important.
David Lindner has over 15 years of experience in information security and consulting. Prior to joining Aspect Security, David was a Security and Privacy Consultant at IBM and Senior Information Security Analyst at Securian Financial Group. He’s written for Information Security media Group (ISMG) and TheMobilityHub. Want to work with David? Contact our Mobile Team.