Back in my younger days, I used to create apps for platforms like iOS, Android and yes, even Blackberry. Mostly, this was a hobby to fill a need which was being met by the infant app stores at the time.
My primary concern wasn’t security, proper development techniques, or any of the other best practices found in the OWASP Top 10. It’s safe to say that there are many people and/or companies who are attempting to ride the app craze to make a profit.
While there are many apps in the stores today that do follow these practices, mistakes can happen.
It can be expensive to go back and check the security of an app ecosystem. You have the app for each device platform, front-facing web server the apps communicate with, as well as any number of back-end systems supporting the service. Each of these takes a different expertise to sniff out and eradicate vulnerabilities and reduce the overall attack surface.
Fortunately for developers with limited security expertise or budgets, there are cost effective solutions to solve these problems.
Static code analysis tools are a great way to start on the path towards creating a more secure code base. Many of these tools take some of the most common coding mistakes into consideration when analyzing the code. Specific lines of problematic code are highlighted with what the potential security vulnerability it may cause.
A recent report from Fallible, an Android code analysis tool, found that over 16,000 Android apps had hard-coded secrets. Since I am an avid Python fan, another great tool I have used is Bandit from the folks at Openstack.
These are just two options at the disposal of developers; there are many others that are specific to whichever programming language you prefer to dabble in.
One important thing to note is that no static code analysis tool is infallible. These tools are only looking for common coding mistakes and can easily report false positives.
A prime example in the Fallible report is the finding of many hard-coded keys, which would need to be hard-coded for the app to function properly, such as Google API keys. While not entirely harmful, other keys such as private AWS API keys could allow an attacker to catastrophically bring your entire company offline.
On the flip side, developers shouldn’t let their guard down when no results are found. Even though a common coding mistake wasn’t discovered, code is complex. Configuration and third-party vulnerabilities can be just as critical as exposing a secret key.
The key takeaway is to use the tools available to find any defect you can – for even if you don’t, your adversaries will.