IG/Mobile Security analysis

From Web Security
< IG
Jump to: navigation, search

This page is under construction. This page is gathering fragmented opinion/ideas about the perceived weaknesses of the web on the mobile, compared to native app in open environment.

Identified perceived weaknesses

  • lack of encrypted storage
  • impossibility to manage remotely locally-stored data for a given Web app
  • certificate/key management
  • difficulty to protect against XSS/CSRF attacks
  • difficulty to garantee integrity of the code of the app (and thus greater exposure to

attacks)

  • Code obfuscation

Note the several arguments about code obfuscation - Is just a higher barrier to break code - Is not easy to do and implies some pentesting problems - Not recommended by NIST http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf - But practiced for particular business or regions.

Web app lifecycle consistency

  • app design (including functions made available to the web developers) : is there any security guidelines for developing good (unbreakable) apps ?
  • app packaging : are app packages trustable (including signature, fingerprint...) ?
  • app deployment/update : how is controlled the update/deployment of the webapps ?
  • app usage : which security model can be built around the app ? (user authentication, application authentication, device authentication)

Blockers today and how to improve the situation

  • standard cannot be based on a specific hardware feature

=> some and correct level of abstraction is needed based on, the gaps seen by different industries, so the spec may not directly depend on whatever hardware there is, but the security concepts that is introduced by having such software/hardware components in the system. [Mete Balcı, Pozitron]

  • standard are not sponsored by the "security sensistive" interested parties [Anders Rundgren]

=> lets make them joining !