Mobile Web App Security

This topic contains 4 replies, has 5 voices, and was last updated by  amol_d 6 years, 9 months ago.

  • Author
    Posts
  • #5611
     Dark_Knight 
    Participant

    I have been asked this question a couple times now and wanted some feedback on what others thought.

    Let’s say you have a web application that you want your customers to be able access via their mobile device. More specifically from their smart phones.

    What are some of the security considerations to keep in mind? I am especially interested in the communication from say the mobile device to the tower.  What risks are present at this point?

    Can you sniff 3G traffic and steal session data etc? I would imagine that this would be possible if the device connects to the web site using an open wi-fi connection yes? But what about 3G/EDGE etc. I know that intercepting voice on an edge network is possible with little effort.(Chris Paget @defcon).
    What about data?

    Isn’t a mobile device just another end point and so the same risks that would be present in a pc environment would more or less also be present in the mobile environment(sniffing/MITM/Authentication/Input validation etc).

  • #35281
     ziggy_567 
    Participant

    Unfortunately, even for security researchers, sniffing 3G traffic is a federal offense. I know that this isn’t a deterrent for the criminal element, but it is what it is…

    You might be interested in this, though:

    http://www.eweek.com/c/a/Security/Researchers-Uncover-Security-Vulnerabilities-in-Femtocell-Technology-760682/

  • #35282
     jacobadam 
    Participant

    There are number of web apps are available now days. They offer enhanced security.

  • #35283
     magnologan 
    Participant

    Check this OWASP Project: https://www.owasp.org/index.php/Mobile

  • #35284
     amol_d 
    Participant

    IMHO more than the risk of someone sniffing 3G (and i have no idea how practical this is), the greater risk is a customer using public WiFi to talk to your website. That would let an attacker on the same access point to launch practical attacks (man in middle via arp spoofing etc) so I would always assume that the client data to a website can be intercepted and then do the design based on this assumption (eg SSL, application level encryption etc)
    Another point: sometimes a dangerous assumption is that because it is a mobile application, it will only be accessed via mobile devices. For example: I have encountered cases in which the developers assumed that they are restricting access to mobile browsers by checking the User Agent field in the HTTP request and checking that against a whitelist of mobile browser Use Agents. Based on this false assumption, the website then had other bad practises like having hidden fields to control business logic because ‘who would be able to see hidden fields from a mobile device’!

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?