Common Sense Mobile Application Security
A recent survey of mobile applications showed a whopping 78% of users store their username in plain text and more than 10% store the associated password in plain text as well. Unfortunately there appears to be few if any standards for mobile applications and applicable sensitive security such as username and password. This is an issue that doesn’t just affect users personally but can be a critical security flaw at the corporate level as they too dole out unsecured smart phones.
So what are the risks?
The iPhone and Blackberry are typically known to be more secure (sorry Android lovers) but that security has been compromised by users that don’t adequately take advantage of it (such as when a user doesn’t code lock their phone only to have it stolen or hacked).
Some easy mitigation steps:
1) Always use a password to protect your phone. While phones are starting to allow more expressive or longer password combinations, typically the minimum is four numbers (which was hacked in 18 minutes at Black Hat last week). On the plus side, most phones will lock after “X” number of tries by default so a user can’t simply apply a brute force hack.
2) Always lock the phone when not in use and set the phone to auto-lock after “X” number of minutes.
3) Use a separate username and password for any CRITICAL mobile application that you might access via your phone. Many smart phones support this feature now to lock folders and individual applications as well. Eventually a Single Sign-On method that makes sense will apply to smart phones but for now, play it safe.
4) Set up remote wipe or set up a threshold for incorrect attempts to access before wiping. This way you may just save yourself from a yet to be created app that can by-pass the current smart phone security.
This may seem like common sense security to most but if you aren’t in the INFOSEC side of the house you probably haven’t given it much thought.