.

Mobile Web App Security

<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Wed Sep 22, 2010 7:03 pm

Mobile Web App Security

I have been asked this question a couple times now and wanted some feedback on what others thought.

Let's say you have a web application that you want your customers to be able access via their mobile device. More specifically from their smart phones.

What are some of the security considerations to keep in mind? I am especially interested in the communication from say the mobile device to the tower.  What risks are present at this point?

Can you sniff 3G traffic and steal session data etc? I would imagine that this would be possible if the device connects to the web site using an open wi-fi connection yes? But what about 3G/EDGE etc. I know that intercepting voice on an edge network is possible with little effort.(Chris Paget @defcon).
What about data?

Isn't a mobile device just another end point and so the same risks that would be present in a pc environment would more or less also be present in the mobile environment(sniffing/MITM/Authentication/Input validation etc).
Last edited by Dark_Knight on Wed Sep 22, 2010 7:07 pm, edited 1 time in total.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Thu Sep 23, 2010 8:38 am

Re: Mobile Web App Security

Unfortunately, even for security researchers, sniffing 3G traffic is a federal offense. I know that this isn't a deterrent for the criminal element, but it is what it is...

You might be interested in this, though:

http://www.eweek.com/c/a/Security/Resea ... gy-760682/
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

jacobadam

Newbie
Newbie

Posts: 10

Joined: Thu May 12, 2011 1:31 am

Post Thu May 12, 2011 1:51 am

Re: Mobile Web App Security

There are number of web apps are available now days. They offer enhanced security.
<<

magnologan

User avatar

Newbie
Newbie

Posts: 4

Joined: Wed Oct 26, 2011 12:26 pm

Post Thu Oct 27, 2011 1:14 pm

Re: Mobile Web App Security

Check this OWASP Project: https://www.owasp.org/index.php/Mobile
<<

amol_d

Newbie
Newbie

Posts: 12

Joined: Tue Apr 10, 2012 8:49 am

Post Mon Dec 31, 2012 3:28 am

Re: Mobile Web App Security

IMHO more than the risk of someone sniffing 3G (and i have no idea how practical this is), the greater risk is a customer using public WiFi to talk to your website. That would let an attacker on the same access point to launch practical attacks (man in middle via arp spoofing etc) so I would always assume that the client data to a website can be intercepted and then do the design based on this assumption (eg SSL, application level encryption etc)
Another point: sometimes a dangerous assumption is that because it is a mobile application, it will only be accessed via mobile devices. For example: I have encountered cases in which the developers assumed that they are restricting access to mobile browsers by checking the User Agent field in the HTTP request and checking that against a whitelist of mobile browser Use Agents. Based on this false assumption, the website then had other bad practises like having hidden fields to control business logic because 'who would be able to see hidden fields from a mobile device'!
OSCP CISSP CSSLP CISA

Return to Mobile

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software