Smartphone Application Security

I've been dabbling in smartphone application security for a while now focusing primarily on the Android and iPhone platforms. I have done a few assessments of purchased applications and I must say I am more than a bit concerned.

These mobile devices are unlike any mobile device we have had to deal with in the past. A smartphone is most of the time turned on, in a pocket or purse of it's owner, and in some cases connected directly to a work VPN. This model is similar to a laptop, but not really. A Laptop is not always connected and most of the time is not physically on the owner outside the office, airport, or local coffee shop. Security on the smartphone devices is in general up to the owner (except in some cases when a company manages password policies on the devices).

Routinely, consumers of their mobile devices treat them quite a bit differently than a laptop because they aren't as powerful, until now. With the recent release of smartphone devices with 1GHz processors we have crept into a market that has for the most part been under the radar (unless we speak of blackberries which focus primarily on email and calendaring).

On the other side the recent release of the iPhone AppStore and Android Market open the smartphone platforms to many different applications that can do anything one can imagine. The problem is these applications are seen as money to software developers and companies and little time is spent on securing such applications. A recent review of a purchased application uncovered some serious vulnerabilities one which stored the users password as a SHA1 hash in a properties file. As we all know SHA1 can easily be broken using rainbow tables. Also, there were client settings which could easily be modified by an attacker such as account lockout, timeout, and password failure count. I feel like in general the application world realizes these things are bad practice but in the smartphone and mobile application market there is this different mind set.

The mindset is that the mobile phone is this blackbox or walled-garden (actually had a vendor say that) and that all application data is kind of lost in the phone. When in reality the hacker world has easily available rooting routines for both an iPhone and Android. This means as a white hat hacker we have to rate our vulnerabilities assuming a user/attacker has root access to the smartphone device. At the same rate we as developers have to develop our applications with this in mind as well.

There is no walled-garden, for instance, in general all applications downloaded from the iPhone AppStore are installed as the "mobile" user. This means technically any other application would have access to any other applications stored data at the operating system level. Once the iPhone is rooted or jailbroken, obviously all data is accessible. On the Android applications are installed directly on the device but have access to the smartcard to store application data (as long as the user clicks OK when installing). One example on the Android is the "Touchdown" application. This application is wonderful for those users of Android phones who need calendaring access to their Microsoft Exchange accounts. Touchdown provides the email, notes, and calendaring functionality and stores data on the smartcard. Included in this data is all attachments. So upon initial sync to the system, depending on how many days of data you sync, all attachments will be put directly on that smartcard. The only flexibility here is to set a password at the Android level for the smartcard (which I highly recommend), or to tune down the size of the attachments to sync to be very small (Touchdown setting). I would say in general most users would not understand they are storing their attachments in the clear on their smartcard, and most cases when using the Exchange Account it is a business account. This process should provide a more secure approach and go through a serious application security assessment since a lot of it's users are business level users.

The new generation smartphones have the power and means to perform most anything a typical business user would need a computer or laptop for. They can email, browse the web, create/edit documents, connect remotely to other computers, etc. This means we as users and developers need to treat them with the same respect we would a laptop or anything other computing device that provides a way into our personal or business lives.