Mobile app security: Always keep the back door locked

http://arstechnica.com/security/2013/02/mobile-app-security-always-keep-the-back-door-locked/     / client-server processing power PC increasing speed networks desktop applications plugging into backend middleware corporate data sources applications vulnerable viruses attacks poorly designed sensitive data exposed mobile app king processing power of smartphones mobile devices Android iOSmobile operating systems speed broadband cellular networks mobile mobile applications plug into backend middleware corporate data sources vulnerable applications ran LAN corporate WAN mobile apps are running networks  accessing services across the public Internet mobile applications potentially huge security vulnerabilities not architected designed properly configured proper security access controls tools PhoneGap Appcellerator Titanium platform development tools mobile platforms resemble in many ways the integrated development tools of the client-server era developers small development teams new mobile apps Web services backend systems launched on Amazon at high speed without considering security up front potential for exploitation attention paid to security device itself backend connection vulnerable Montreal based SkyTech Communications public embarrassment computer science student vocational college freely downloaded security scanner on SkyTech’s mobile app access records register for classes found major security flaws in the application gain access students’ personal information small developers mobile app backend General Motors OnStar Web API public API effort enterprising Chevy Volt owner had reverse engineered mobile application API for retrieving vehicle statistics from OnStar’s data centers personal use malicious build a website for other drivers to do the same potentially exposed personal data OnStar account logins violation GM’s privacy rules site now runs on a new more secure API keep client dumb backend as a service provider FatFractal address issues security access control early on after the fact add on afterthought key elements security design mobile applications is making sure that the client phone app itself browser app very little processing general best practice code on the device do as little as possible Danny Boice co-founder CTO Speek cloud based conference call service  native mobile clients Web browsers mobile development SAT testing company The College Board control what the application sends and receives backend legitimate users of the application strong access controls session management well-defined interfaces that limit what data can be accessed traffic filtering centralized secure location peer access data center VPN locks authentication sent over the wire encrypted malware hack hacking hacker hacked virus Trojan worm /