Software Apps… Detect their Vulnerability.

In the previous post we’d talked about the dominance of mobile application over e-stores. Well, if you have made up your mind of getting an application, you must consider having a close look at their vulnerabilities as well.

In 2012, there was much hype about skype’s data security. It had a flaw which exposes users’ IP address to hackers. Thankfully, it was later resolved, because the level of penetration skype have into our live is very high.

In another case of data theft, hackers targeted Starbucks mobile users to extract money out of their Starbucks mobile app. Well, starbucks was storing their customers’ data in plain text, which includes their email addresses, passwords and names.

Dropbox is one such victim of security breach. These are the names of some biggies in the software applications world. These companies invest a good amount of money in establishing their product, brand name and security. But despite the all the security measures, data thieves and hackers are working actively in some corner of the world.

Similarly, there are number of applications which you are regular dependent of. Some of them are high end while some of them are from newbie developers. The problem is not about the scale of its development. The problem here is the ignorance towards the vulnerabilities.

According to Gartner Security, the application layer currently contains 90% of all vulnerabilities.

When an application is being developed, first concern should be the security of its users. In no way this should be compromised. Whether data is transmitted or stored, it should be encrypted. In case an attacker might get access to the data stored, he should not be able to identify the key of encrypted data. Here are some encryption based security options;

  • Keychain
  • Encryption of email
  • FileVault
  • Certificate-based digital signatures
  • The ability to create encrypted disk images
  • SSL/TLS secure network communication
  • Kerberos authentication

But, here is one thing that is to be considered, every option has its advantage or limitation. So developer must use it appropriately. (source : www.developer.apple.com)

Social engineering is another big trap laid by attackers to siphon crucial information like credit card details, banking passwords, social security numbers, When a user is tricked by an attacker to reveal his information on his own is termed as social engineering or phishing.

According to Gartner (http://www.gartner.com), phishing attacks cost U.S. banks and credit card companies about $1.2 billion in 2003, and this number is increasing.

However, blaming the developer for phishing attacks is totally unfair. But he must remain aware of any suspicious modules in the applications asking for sensitive user information. Developers must educate their users that at what points their private information might asked for. A well designed user interface can help the user to make informed decisions.

Many a times an application user becomes the victim of sideloading. It is a type of installation, that does not require permission from user and are available on commercial app stores, instead of official stores like Google play or Apple app store. This could possibly a malware. Both, user and developer must be aware of the fact that sideloading is happening. This is often happens due to the internal settings of the operating system of mobile phone made by user itself. But user must report this to the developer as well, certainly there is a patch inserted in the code which get triggered for installation.