Mobile security threats top the charts when it comes to things developers need to watch, according to experts and a recent study from Verizon.
According to the Verizon Data Breach Investigation report, published at the end of 2011, there are 13 threats developers need to look out for in 2012, with mobile vulnerabilities being high on the list. Other threats include app-store infiltration and risks associated with digitized health records. Smart-grid security standards will emerge and social engineering threats will also be on the rise.
An increasing phenomenon, said Ondrej Vleck, CTO of Avast (a provider of free anti-virus software), is that there are a number of applications in the Android Marketplace that look like legitimate applications but are in reality just malware packages that are then able to interact with mobile devices and other applications without users knowing.
Vleck agreed that mobile applications are the most vulnerable because they are used by end users who may not be familiar with the threats. “The number of malware samples for Android are growing much faster [than other platforms], and while the numbers are smaller than the number of malware threats for Windows, they may soon match,” he said. These are not typical attacks, he added; most mobile attacks are phishing attacks or other attempts to steal personal information kept on a mobile device.
Silent attacks are also being carried out on social networks, according to Nick Skrepetos, CTO of consumer software for Support.com, a computer repair and malware protection provider. He said the application development community is still seeing a huge amount of threats, like Facebook phishing attacks, and recommended that developers track the types of threats that are trying to access their applications. Once developers are aware of malware that is finding weak points in their software, future releases can have security measures to ensure that these weak points are no longer accessible.
Additionally, he said education is important because malware will always find a way around the blocks developers put in place, so helping developers understand the threats will help them limit the weak points in their applications.
According to Jodi Wadhwa, vice president of marketing at software security provider Arxan, one of the biggest threats is reverse-engineering of client-side applications. Since everything is “driven by apps,” attacks are more frequently aimed at the end-user, the “man at the end” of the cycle, she said.
Mark Austin, CTO at Avecto (a provider of Windows privilege management), contributed best practices for developers interested in protecting their applications against this crop of threats.
He cautioned developers against giving end users in their systems “privileged” access. Users with privileged access can drill down into the machine and, by default, allow any malware that accesses the user credentials to do the same. He added that developers should think about what their application must do, then make sure it can do all of those functions under a standard access account.
Austin also said some settings should be system-wide and others should be user-wide, because user access is more susceptible to damage by malware.
Input validation is another best practice Austin advocated. “Make sure any inputs are validated,” he said, adding that the server shouldn’t assume that it is talking to the correct client.
The most important thing to remember when trying to defend against malware is that it is meant to find and intercept an elevated process, according to Austin. So, by reducing the level of access of users and the amount of steps it takes to do something within a program, developers should be able to reduce the number of attacks.