Among the radical changes in the recent world is the impact of mobile devices on modern society. Quickly becoming the first screen of information for everyone, mobile apps are even being used by the electronically resistant senior population who has found convenient use of large-print apps and the ability to maintain closer contact with grandchildren. We have seen such a great shift in the past five years so that even the shortest elevator ride has people pulling out their phones to manage their lives. This poses opportunity, as well as, challenges for businesses trying to stay ahead of the pack.
Big business has been the first mover with custom mobile apps that segment services to their simplest form. With a few clicks on an iPhone, anyone can re-order medication, purchase movie tickets, or find their way using GPS technology. To the small businessman, mobile apps are still something to put-off developing because it adds to the development budget, and they resort to mobile friendly sites that only require one build. This means developing web apps with a width of less than 960 px and reducing the number of pages that display on mobile devices. A true mobile app requires additional development dollars, but is native to the mobile device, even using geo location sensors and maps.
There are also more challenges involved with mobile apps because, just as web applications must function in multiple browsers, mobile apps must also function in multiple mobile frameworks (iPhone, Android, etc.), adding to the burden and cost of development. For all the trouble, most small businesses throw in the towel applying their efforts in things they understand.
Developers should be paying attention because they can use their existing development team without the need to find or create mobile specialists. It also allows the ability to incorporate sensors, like geo location and cameras, which are native to the mobile environment.
Small business will love this because it simplifies their development strategy and gives them wider access to their customers. It makes mobile development affordable for everyone and could very well equalize the playing field between big and small business. For this reason, we are paying close attention to PhoneGap and hope to add it to our list of services very soon.
You are probably using several software applications that talk to each other. Whether you have a custom web application or prepackaged financial solution, getting applications and services to communicate requires a skill, technique, and knowledge to protect your information. So, what happens when your web service is not secure? What information could you be leaking and how could you be vulnerable?
- Privacy refers to ensuring that messages are not visible to anyone except the web service and the web service consumer. Traffic should be encrypted so that machines in the middle cannot read the messages.
- Message integrity provides a guarantee that the message received has not been tampered with during transmission.
- Authentication provides assurances that the message originates from where it claims it did. Both a legal term as well as a technical term, non-repudiation refers to the concern of not only authenticating a message, but proving the origin of that message to other parties.
- Authorization refers to ensuring that only consumers who should have access to a resource of your web service actually have access to that resource. Authorization requires authentication because without authentication an attacker could pretend to be a highly privileged user.
Building a web service or API (application programming interface) requires a methodology for exchanging secure information, and there are two popular solutions: SOAP and REST.
Simple Object Access Protocol (SOAP) is a popular protocol specification. It is a complicated specification and some developers, though well-meaning, leave security vulnerabilities. An example of a vulnerability is SOAP injection. What is SOAP injection? It occurs when the server attempts to parse the XML message from a client. If the XML message is malformed, meaning that it does not follow the rules that the server expects it to follow, the server may return an error message that actually shows code and gives insight into the underlying system. Developers may turn off this behavior. However, this is often forgotten before a deployment.
REST (Representational State Transfer) is an architectural style for distributed systems. The World Wide Web is one such distributed system. REST has become a popular architectural choice for designing web services. Such web services are referred to as RESTful web services. An advantage of using REST is that the security vulnerabilities are well known as they are the same vulnerabilities that impact web sites. This means that developers who are familiar with website security will be able to leverage their knowledge to secure RESTful web services.
Developers working with either of these technologies must be concerned with the four security points. No methodology or architectural choice ensures that your information is well-protected. It is important that your consultants explain the architecture they plan to use and how their implementation plan accounts for security concerns. If your developer does not have a detailed answer, it is a red flag.