Mobile Application Security: A Shared Responsibility Model
In a recent livestream with We Hack Purple, I discussed vulnerabilities that impact mobile applications and in one example I introduced the concept of thinking about a shared responsibility model in mobile app security.
In other security domains, security professionals have embraced the concept of a shared responsibility model when thinking about the roles and responsibilities of securing data or services when more than one party is involved in providing that service. This model became well established as more companies shifted their applications to cloud-based infrastructure, where they were no longer in complete control of the infrastructure and environment upon which their applications, services and data resides. A shared responsibility model became necessary to make clear the roles and responsibilities of these different parties in maintaining control of the data and maintaining the integrity of the systems.
When we think about mobile devices and the applications we develop for those devices, a similar paradigm exists.
Consider an end-user accessing sensitive information through a healthcare or banking app developed by their trusted app provider, running on an Android device. Securing the personal data and protecting the integrity of transactions is important to everyone that forms a part of that mobile app ecosystem.
Stakeholder | Security interest |
Consumer/ End user | Wants to ensure they are not a victim of fraud or that their data is exploited |
App developer / Publisher | Wants to ensure that transactions are legitimate, that mobile apps and APIs are secure so that they don’t suffer data breaches and that their brand and reputation in the market is in good standing |
App protection vendor | Wants to protect applications from reverse engineering and tampering that can result in targeted attacks against their customers |
App store / OS / Device manufacturer | Wants to build trust and confidence in the applications and ecosystem to gain adoption of their devices and software |
We’ve established that multiple parties all have a shared interest in making sure the apps they use/provide/support are trusted and secure. Given that, what roles/responsibilities do each of these stakeholders have in ensuring the security of their data or system?
Consumer / End user:
An end user needs to take some responsibility to ensure they are using their mobile phone in a responsible way. This means only obtaining apps from reputable trusted app stores, that they are aware of the risks of phishing and various scams that can attempt to defraud a user. Other stakeholders can support this user through various means of awareness and education, communicating permissions control and generally keeping them informed of the risks.
App developer/Publisher:
App developers should seek to understand the threat model for their application or services, understanding the specific risks and potential for fraud that can impact their app users. The risks and threats that are material should be addressed with appropriate mitigating controls to protect their users' data and regularly assess the security of their application.
App protection vendor:
App Protection vendors (such as Guardsquare) employ security researchers and engineers that understand the constantly evolving threat model that impacts mobile applications and develop effective and usable app protections that can be implemented.
App store / OS / Device manufacturer:
The platform (the device, operating system or app store) is a critical part of the shared security model, provided by vendors like Apple (iOS) and Google (Android), though in the case of Android it is a distributed ecosystem, with additional roles and responsibilities for device manufacturers. The devices and operating systems need to implement a secure architecture, should be regularly updated to protect against discovered vulnerabilities and should minimize the potential for abuse of their platform. Apple routinely patches their devices and operating system to protect against zero day vulnerabilities. We’ve also recently highlighted examples of how the Android architecture is susceptible to abuse of its accessibility services API, which is clearly a design decision that Google made which can impact the security of users and applications in the Android ecosystem. The app store also needs to implement controls to ensure the quality and legitimacy of the apps that are published, we’ve seen Google and Apple make significant progress in addressing the presence of malicious apps in their respective app stores.
What does shared responsibility mean in practice?
The security of our mobile app ecosystem relies on a shared responsibility.
- Security and trust cannot be achieved if the underlying App Store and ecosystem is not secured
- Mobile operating systems and devices need regular updates and evolution to address weaknesses and to prevent abuse
- App Developers need to look at residual risk and ask what practices, tools and architecture they can implement to reduce that risk for their industry, including leverage of mobile app protection, and regularly performing security testing to harden their application from security weaknesses and vulnerabilities
- App Protection or Security vendors should continue to push forward reliable tools that can help app developers meet their security goals in proven, reliable ways, without requiring them to invent proprietary, non-standard approaches
- Lastly, end users will be targeted, even if all other parts of the system are working, so as security professionals we all play a role in educating consumers
As a contributor to the shared security model, Guardsquare is committed to delivering the strongest mobile app protection, free mobile app testing, and informative research to help contribute to a safer mobile app ecosystem.
To learn more about how Guardsquare can help you identify and protect against reverse engineering and tampering, connect with one of our experts now!