For much of the world’s population, mobile devices serve as the primary tool for getting things done. Whether its banking, scheduling meetings, buying new clothes, or ordering pizza, the mobile smartphone, running a specifically designed application, can do it. Businesses in practically any industry simply must have a presence on mobile devices or they will suffer from a considerable competitive disadvantage.
Creating, designing, developing, and implementing apps for an increasingly mobile world is the job of the Mobile Application Developer. Like all application developers, the best candidates for such a position will have impeccable programming skills, but also something more. Mobile Application Developer recruiting also requires a search for candidates with knowledge of how mobile devices and mobile culture work. This knowledge does not always come from work experience, sometimes life experience may play a more important role.
Finding and recruiting a skillset that combines high-level programming skills with intricate and intimate knowledge of mobile devices will require a comprehensive hiring process. This Hiring Kit: Mobile Application Developer, from TechRepublic Premium, provides an adjustable framework your business, a job description, Want Advertisement, interview questions and analysis.
Mobile devices are a way of life, in both the consumer and business realms—and business interests must be protected where the two converge. The bring your own device (BYOD) approach, which allows employees to use their own mobile devices to perform company business, is accepted by a majority of organizations now. These companies have seen the benefits of cost savings, flexibility, and ease of use that BYOD provides.
Mobility in business terms means being able to get the job done and stay connected regardless of location, device, or time of day. However, the convenience of mobile computing also has a price tag in the form of added security management and the necessity of allowing IT control over devices to ensure that the business, its personnel, and its data remain protected. These details can be complicated—and the costs incalculable if they are not properly addressed.
This Mobile device computing policy from TechRepublic Premium provides guidelines for the safe and productive use of mobile devices (laptop computers, tablets, smartphones, etc.) by employees. It includes stipulations for company and employee-owned devices and requirements for users and requirements for IT departments responsible for supporting and administering mobile devices.
A study of banking apps for iOS and Android found poor source code protection, cleartext storage of sensitive data, and other serious flaws that make it easy for attackers to break into accounts.
A study of banking apps for iOS and Android has led researchers to conclude that “none of the tested mobile banking applications has an acceptable level of security.”
Performed by IT security vendor Positive Technologies, the study tested 14 banking apps available on both iOS and Android that had more than 500,000 downloads each. Despite the small sample size, there are reasons to pay attention to the results.
Every single app contained vulnerabilities, and three were common to all of them: A lack of obfuscation, no protection against code injection and repackaging, and code that contained names of classes and methods.
In short, use your bank’s mobile app at your own risk.
Luckily for iOS users, none of the flaws discovered in the iOS versions of the apps surveyed was worse than a “medium” risk; by comparison 29% of Android banking apps contained high-risk flaws.
The vulnerabilities uncovered in the study put individual users, and business clients, directly in harm’s way, and in many cases an attacker doesn’t even need to gain access to the server side of a banking app to do damage.
Client-side apps are those that are installed on personal devices, and they account for 46% of the issues discovered. Of those issues, 76% can be exploited without an attacker having physical access to the target device, only requiring the attacker to successfully phish a target or otherwise get them to click on a malicious link or run a harmful script.
Of the vulnerabilities on the client side, three stand out as being particularly widespread: 13 of 14 apps allow unauthorized access to user data, 13 of 14 are vulnerable to man-in-the-middle attacks, and 11 of 14 apps allow unauthorized access to the application itself.
Things aren’t much better on the server side, where more than half of the apps contain a high-risk vulnerability.
The top problems on the server side of mobile banking come in the form of insufficient authentication, brute force vulnerability, and application identification failure, all of which can be used to impersonate a user to steal data and illegally transfer funds.
What can be learned from poor mobile banking security
If there’s one bright spot in the study it’s that (at least on the client side) only 37% of vulnerabilities can be taken advantage of without a device being jailbroken or rooted.
There’s no reliable way to measure how many iOS or Android devices have been jailbroken or rooted, but estimates come in somewhere around less than 1% of iPhones, and around 7.6% of Android devices, at least as of a few years ago (newer statistics are hard to find).
The report concludes that those who use mobile banking apps should avoid rooting and jailbreaking, never to install applications from unofficial sources, not to click links sent by strangers, and to always keep devices and applications up to date.
“In 87% of cases, user interaction is required for a vulnerability to be exploited,” the report said.
“We urge that banks do a better job of emphasizing application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL [Secure software development lifecycle] practices and ensuring security at all stages of the application lifecycle,” said Positive Technologies analyst Olga Zinenko.
That lesson extends to any business with an app that deals in sensitive data: Develop securely from the beginning, review old code to make sure it’s not vulnerable, and thoroughly test apps before releasing them to the public.
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays