The Ethical Hacker Network - Mobile Web App Security

Dark_Knight

Sr. Member

Offline

Posts: 292

Mobile Web App Security

« on: September 22, 2010, 07:03:39 PM »

I have been asked this question a couple times now and wanted some feedback on what others thought.

Let's say you have a web application that you want your customers to be able access via their mobile device. More specifically from their smart phones.

What are some of the security considerations to keep in mind? I am especially interested in the communication from say the mobile device to the tower. What risks are present at this point?

Can you sniff 3G traffic and steal session data etc? I would imagine that this would be possible if the device connects to the web site using an open wi-fi connection yes? But what about 3G/EDGE etc. I know that intercepting voice on an edge network is possible with little effort.(Chris Paget @defcon).
What about data?

Isn't a mobile device just another end point and so the same risks that would be present in a pc environment would more or less also be present in the mobile environment(sniffing/MITM/Authentication/Input validation etc).


« Last Edit: September 22, 2010, 07:07:25 PM by Dark_Knight »	Logged

CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com

ziggy_567

Sr. Member

Offline

Posts: 361

Re: Mobile Web App Security

« Reply #1 on: September 23, 2010, 08:38:42 AM »

Unfortunately, even for security researchers, sniffing 3G traffic is a federal offense. I know that this isn't a deterrent for the criminal element, but it is what it is...

You might be interested in this, though:

http://www.eweek.com/c/a/Security/Researchers-Uncover-Security-Vulnerabilities-in-Femtocell-Technology-760682/


	Logged

--
Ziggy

eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+

jacobadam

Newbie

Offline

Posts: 10

Re: Mobile Web App Security

« Reply #2 on: May 12, 2011, 01:51:06 AM »

There are number of web apps are available now days. They offer enhanced security.


	Logged

magnologan

Newbie

Offline

Posts: 4

Re: Mobile Web App Security

« Reply #3 on: October 27, 2011, 01:14:22 PM »

Check this OWASP Project: https://www.owasp.org/index.php/Mobile


	Logged

OWASP - www.owasp.org

amol_d

Newbie

Offline

Posts: 12

Re: Mobile Web App Security

« Reply #4 on: December 31, 2012, 02:28:45 AM »

IMHO more than the risk of someone sniffing 3G (and i have no idea how practical this is), the greater risk is a customer using public WiFi to talk to your website. That would let an attacker on the same access point to launch practical attacks (man in middle via arp spoofing etc) so I would always assume that the client data to a website can be intercepted and then do the design based on this assumption (eg SSL, application level encryption etc)
Another point: sometimes a dangerous assumption is that because it is a mobile application, it will only be accessed via mobile devices. For example: I have encountered cases in which the developers assumed that they are restricting access to mobile browsers by checking the User Agent field in the HTTP request and checking that against a whitelist of mobile browser Use Agents. Based on this false assumption, the website then had other bad practises like having hidden fields to control business logic because 'who would be able to see hidden fields from a mobile device'!


	Logged

OSCP CISSP CSSLP CISA

Pages: [1] Go Up

« previous next »