Ken van Wyk is an internationally recognized information security expert and author of the popular O'Reilly and Associates books, Incident Response and Secure Coding: Principles and Practices, as well as a monthly columnist for Computerworld. Among his numerous professional roles, Ken serves on the boards of two non-profit organizations, FIRST and SecAppDev. Ken is also the project leader of the Open Web Application Security Project (OWASP) iGoat project, an interactive tool designed to help iOS app developers learn how to develop bulletproof apps for the Apple iPhone, iPad, and other iOS devices.
For this Security > 140 conversation, Ken and I discuss Mobile App Security, and how the iPhone helped him realize a childhood dream.
Note, Ken and I will lead Mobile App Sec Triathlon training class in San Jose November 2-4. If you are interested in Mobile Apps - check it out.
GP: Ken, you have been involved with Secure Coding (and wrote a book on the topic) for years, what do you see as the biggest change for developers trying to write more secure code for mobile apps? What things do they need to take into account?
KRvW: For starters, I love today's mobile platforms. Turns out I've been wanting an iPhone since watching Star Trek on TV when I was a kid. But more to your question, the big thing that has changed is the threat model. In the PC era, we used to be able to get away with saying things like, "if they have physical access to your hard drive, all bets are off". Well, with mobile platforms all bets ARE off. The biggest risk faced by the normal user is loss or theft of the device. That means that app developers need to be hugely diligent in what they store locally and how they store it. You have to ASSUME the adversary is going to get physical access to your device.
GP: Interesting assumptions, so the mindset for mobile app developers is almost akin to writing a web interface that gets accessed from a coffee shop or hotel kiosk PC?
KRvW: Close. I think all web apps should be designed so they can be run on an open WiFi in a coffee shop (without the benefit of a VPN). Mobile apps are even worse in some aspects. They have to run on open WiFis and be ready at any moment to hand over their non-volatile storage to a determined adversary. Kind of like programming satan's computer, only worse.
Now, that probably sounds melodramatic. It's not meant to be. It's just that having that sort of thinking helps you prepare your apps for the worst.
Don't assume your device won't get lost or stolen. It is the most likely security compromise your users will face. As an app developer, assume the worst. Your users will thank you one day.
GP: Assume the worst sounds like a good mindset for a secure coder. Besides lost and stolen threats what are some [issues] other Mobile app developers need to factor in?
KRvW: The privilege model on the platforms is closer to Windows 95 than to a modern operating system. There's basically one user, and that user has complete control of the device (essentially).
Now that's not entirely fair. Both iOS and Android do try to protect apps from one another, for example. They do put apps into a sandbox of sorts.
But it's not far from the truth either. There's very little notion of privileges in iOS or Android.
Those things all challenge the app developer. They mean you have to be ultra careful with your users' data. You can't store sensitive data locally even for a moment without adequately protecting it.
That doesn't mean we shouldn't write software for these platforms. Quite the contrary! The market demands we do. But we absolutely have to be pedantic with how we treat our users' information.
GP: What's your general observation on the security tools that iOS and Android offer developers to protect their users and their apps? Are mobile platforms offering latest and greatest security, or is it 1990s deja vu all over again, or somewhere in between?
KRvW: Well, on iOS, I have to admit I was quite appalled by the lack of security tools for things like static code analysis. The code analysis tool in Xcode really just checks for quality-related issues like memory leaks. There is a dearth of tools for looking through code for security problems there. Android isn't quite so bad, as there are tools available for scanning Java code.
On the other hand, there are some network tools for doing things like dynamic validation of network traffic. And there's good memory profilers and things like that.
So, it's not horrific, but it's also not anywhere near as good as what we have for desktop or server-side web applications, for example.
The conversation continues in Part 2
Secure Coding Training - Mobile AppSec Triathlon
Do you have what it takes to complete a triathlon on three vital topics in the mobile world: Mobile application security, web services security, and mobile identity management?
Come join two leading experts, Gunnar Peterson and Ken van Wyk, for the first Mobile App Security Triathlon, in San Jose, California, on November 2-4, 2011.