Here is Part 2 of the Security > 140 Conversation with Ken vn Wyk discussing Mobile App Security tools, technologies and what developers can do to make improvements to their mobile apps' security.
Note, Ken and I will lead Mobile App Sec Triathlon training class in San Jose November 2-4. If you are interested in Mobile Apps - check it out.
GP: Is the lack of mobile security tools simply a case of security being behind the curve of the new, hot technology? Would you expect mobile security tooling to catch up given the demand and focus on security? What areas seem most important and promising to you for mobile security tools?
KRvW: Very much so. I expect there'll be some more useful security tools coming along for both platforms before long.
As I said, I'd like to see better static code analysis tools for iOS / Objective C, for starters. That, and maybe some better tools for analyzing the contents of files stored locally on the device. There are tools like iPhone Explorer that start, but I want more. (I'm speaking mainly of iOS here, I should point out.)
GP: With the popularity of iPad do you see anything different about mobile app security on those types of devices versus a smartphone like iPhone?
KRvW: The platform is nearly identical to the iPhone from an app standpoint. (Obviously, the view components change with higher resolution, but it's the same basic system.)
What is different is how we're using iPads (and other tablets). We're putting bigger, more "serious" apps onto them. With that comes more risk, in all likelihood.
GP: Switching gears to process, what do you see in terms of SDLC for mobile - are there an positive or negative trends here with regard to security involvement in SDLC?
KRvW: Well, the rush to market seems even greater in mobile apps, for one thing. And there seems to be more outsourcing than in other areas. Those things don't bode well for security process, I'm afraid.
There seem to be many mistakes made in haste in the mobile world. I imagine that will stabilize over time, but it doesn't seem to have yet.
GP: What is one thing that someone building mobile apps can do today to help make their app more secure?
KRvW: Knowledge is king. Read and study. Dive into iGoat (iOS) and GoatDroid (Android) and study the issues first hand.
The picture I've painted here might sound like gloom and doom, but it's really not. You can do great things on these platforms, but it requires diligence by the developer.
We all get affected by market pressure, but always remember too that users aren't quick to forgive stupid mistakes. Take the time and do things right.
Secure Coding Training Class: Mobile AppSec Triathlon
Do you have what it takes to complete a triathlon on three vital topics in the mobile world: Mobile application security, web services security, and mobile identity management?
Come join two leading experts, Gunnar Peterson and Ken van Wyk, for the first Mobile App Security Triathlon, in San Jose, California, on November 2-4, 2011.