Enterprises deploying smartphone applications need to consider the security implications for their users and for the organization itself. Smart mobile app developers can help to address these issues proactively by thinking about security in advance and planning to address security concerns during application development. Five top smartphone security issues for developers to consider are:

1.       There are no secrets – Even though your application might be distributed in an encrypted format or at least as binary code, developers should expect that malicious users will be able to figure out everything an application is doing. Attackers can use tools such as debuggers and techniques such as reverse engineering to learn whatever they want about an application. Obscurity is not security and no system should be developed where its security relies on no one ever figuring out what the application is doing. This is especially true for smartphone applications where attackers will have access to the running application on a device they control.

2.       Do Not Store Sensitive Information on the Device – People lose smartphones and bad guys steal them. As mentioned above, developers should assume that an attacker with access to the device will eventually have access to all of the code and data on the device. Therefore sensitive information should not be stored where it can be captured. If information is stored encrypted on the device then the encryption keys should not be stored on the device. Citi recently ran into problems because of this issue when a 3^rd party developer building their online banking application stored account numbers and payment information in a file on the device.

3.       Be Careful When Consuming 3^rd Party Services – Smartphone applications often consume data from 3^rd party services and this allows developers to create really compelling applications. However from a security standpoint smartphone developers must also be careful when consuming these services. Data from 3^rd party services should be positively validated before being used within an application. Otherwise a malicious service – or one compromised by a malicious party – could send malformed data that would cause the application to behave in unpredictable ways.

4.       Beware Native Code – Developing applications using native code presents a number of security risks such as the possibility of buffer overflows and format string vulnerabilities. iPhone developers do not have a choice because they are forced to develop in Objective-C. Android (News - Alert) development is typically done in Java which is safer, but they still have the ability to build parts of their applications using native code. The site www.jailbreakme.com used a flaw in native code that handled fonts in PDF documents in order to jailbreak phones that visited the site. In this case the outcome was a desired behavior, but other malicious sites could easily have used the exploit for more malicious ends. Developers building applications in native code should take extra care to be safe when manipulating strings and other arrays as well as when handling memory management.

5.       The Server Side Matters – Really compelling smartphone applications do not live in a vacuum. As mentioned above, many applications need to consume 3^rd party services to provide desired functionality. Enterprises also often have to deploy services of their own to support smartphone applications. These services are subject to discovery and attack from malicious users and are often even more attractive targets than the application on the device. From an attacker’s standpoint it may be more valuable to target server resources with access to all users’ data rather than the data of a specific user stored on a specific device. The recent incident where Apple iPad users’ email addresses were exposed was an attack against server-side resources AT&T (News - Alert) had deployed to support a mobile application, not an attack against the smartphone application itself.

Smartphones make new and exciting applications possible. However, these applications often involve combining data from multiple sources, moving sensitive data across the network and storing data in new places and on new devices. Developers should take care when creating smartphone applications to avoid putting their users and their organizations at risk.