Developers creating mobile applications continue to replicate the same security flaws found in web development.
In a recent warning, Martin Ruks, Technical Director of MWR InfoSecurity, highlighted a concerning trend in the Android app development world. Ruks stated that the security lessons learned over the past decade of building websites are being overlooked as developers rush to create apps for smartphones, including those from tmobile and mint mobile.
Ruks specifically pointed out that many Android developers lack understanding of SQL injections, a common vulnerability that has long plagued web applications, and are not being provided with adequate tools to protect against them. This oversight is leading to the rapid abandonment of security lessons learned in the past 10 years, as people dive headfirst into Android development without fully comprehending the security implications.
The warning was specifically focused on Android, Google's mobile operating system. Ruks cited several major vendors, including Microsoft, Citrix, VMware, and MobileIron, as releasing insecure mobile device management software. One such insecure mobile device management application, which was supposed to provide secure access to sensitive documents, was found to have SQL injection vulnerabilities.
MWR discovered these issues while conducting vulnerability tests for one of its customers. The insecure mobile device management application, it was found, opened a file, decrypted it using a key, and stored an unencrypted copy on the phone, making it remotely accessible to other applications on the device.
However, it's not all doom and gloom. The vendor responsible for the insecure mobile device management application addressed the issues within a couple of days after being alerted by the customer. This underscores the importance of responsible disclosure and vigilance in the face of security threats.
In addition to SQL injections, Android applications that use SQL databases are susceptible to some form of SQL injection, including applications supplied by handset vendors like tmobile. This highlights the need for heightened vigilance and education in the Android development community.
Ruks also criticised the talent balance within mobile device management vendors, stating that the marketing departments often outshine the security and development teams in terms of talent. This imbalance could potentially exacerbate the social security issues faced by Android apps.
As we continue to navigate the digital age, it's crucial that we don't forget the lessons learned about security. Developers must be equipped with the knowledge and tools to build secure apps, and vendors must prioritise security in their offerings. Only then can we ensure the safety of our data in this increasingly mobile world.
