Mobile application development, assessment, and the internet of things
CASE STUDY |
A client requested that RSM perform a variety of assessments on the company’s mobile application as a final test before pushing it out to the production environment. This app connected to employee devices over Bluetooth and allowed for a variety of device state tracking by customers using smartphones with the app. The app then connected to the cloud to share and receive what data is needed.
RSM performed a mobile application security assessment on the client’s app. This assessment assumes the role of an attacker and uses manual, dynamic testing to assess app security in areas such as data storage, network communication, cryptographic usage, remote web services and business logic.
RSM’s testing showed that the app was developed with a strong eye towards security, as the few issues discovered were low level and easily addressed. As part of performing our mobile app assessments, RSM examines how the app functions and what specific role it plays in our client’s business processes. With this app, RSM noted specifically that it is designed to provide many of the benefits of internet enabling without many of the drawbacks. Additionally, RSM examines what type of data the app is using and sharing, and any potential security concerns about this data. With this app, RSM noted the device and app were only sharing relevant information needed to provide the service to the customer.
Though the assessment came back showing the app was mostly secure, that doesn’t mean there weren’t some important lessons to learn from this work that all app developers should keep in mind. These lessons can largely be broken down into two different areas.
Managing app data
One of the key factors that allowed this app to maintain its relatively high security levels is that the developers limited the data that it handles as much as possible. It is often tempting when creating these kinds of apps to have them share as much information as possible about the customer, the kind of information marketing departments love to have access to. However, if an app does this, that data makes the app much more valuable as a target for attackers, who can use that same data for lucrative illicit activities. In this instance, our client was very careful that the app only gathered and shared the bare minimum needed to meet customer needs. While this limited the app a bit from a marketing perspective, it reduced the overall risk that the app represented.
Limiting the internet of things
Understandably, many people are quite excited about the move towards internet-enabled devices, commonly referred to as the internet of things. Everything from thermostats to appliances to cars are being connected directly to the internet, often without anyone questioning if such a connection offers much benefit beyond some minor conveniences. In connecting directly to the internet, these devices are exposing themselves to a variety of attacks that could lead to either the device being used as part of a botnet (a network of computers infected with malicious software and controlled as a group without the owners' knowledge that can potentially be used to send spam messages) or the device’s user being compromised. Our client considered this, and developed the solution of using the phone app to communicate with the internet, thereby effectively isolating their devices from the internet at large, while allowing for the easy update of the app should any vulnerabilities be discovered.While the push to create internet-enabled devices is understandable from the perspective of adding functionality to a product, the security concerns are very real and need to be taken into consideration. Using a mobile device and a properly built app can provide the functionality of the internet while allowing the device to remain effectively segmented from many of the security concerns of a full internet connection. Having a careful consideration for what data is being shared can also provide the added benefit of protecting your customers so that, even if the app is breached, minimal sensitive information is lost.
Even with all of this in mind, app development needs to continually focus on testing to ensure that new vulnerabilities don’t develop with updates in the app or its environment. Even the most carefully developed app can have a critical vulnerability exposed with an update. However, careful design and consideration for what data is being shared and how it is being shared are key for the secure development and usage of apps.