Last week I pushed some updates to the mobile application assessment scripts we released with my Smart Phones Dumb Apps presentation a while back. These scripts do some light static analysis on Android and (unencrypted) iOS binaries – mainly setting up a list of things to manually examine during a more thorough analysis. Most of these updates are courtesy of Abraham Aranguren ([name] . [surname] @owasp.org, @7a_ on Twitter) who updated a couple of packaged external tools those scripts relied on such as FindBugs and dex2jar (thanks!). You can also check out a great blog post Abraham put up listing a number of really valuable Android application security resources.
Mobile application security continues to be an area organizations struggle with. Everyone feels huge schedule pressures to get new applications and new functionality released. Developers dive into development projects without understanding how to design and build secure mobile applications. The result is pretty predictable – vulnerable mobile apps and, even scarier in most cases, vulnerable web services supporting those mobile apps.
Keep an eye on this space – at Denim Group we’ve been doing a lot of work both assessing the security of mobile applications as well as helping firms design and build secure mobile apps. In the next couple of months we’re looking at making more of what we’ve been doing publicly available and hopefully organizations will be able to use that to step up their mobile security skills.
dan _at_ denimgroup.com