Locking Down Wireless

Securing Holes in Wireless Applications Through Development Practices

Organizations are feeling the heat regarding application security. Gone are the days when security breaches could be pushed aside or dealt with behind closed doors. Since the beginning of 2005, several security breaches have made front-page news. While it is unclear how many can be blamed on insecure technology, it is obvious that security is quickly becoming an area of great concern.

Mobile computing is another industry that shows no sign of slowing down. Enterprise deployments of notebook PCs, tablet PCs, and PDAs continue to grow by leaps and bounds. Gartner predicts that by 2010, 80 percent of key business processes will entail the exchange of real-time information involving mobile workers. Unlike current security standards for immobile hardware and software, wireless application security has its own set of challenges.

In order to lock down wireless devices and applications, data must be protected while it is on mobile devices, while traveling between devices and the organization, and while it is at the organization. Data stored on mobile devices is more at risk than data stored on servers, simply because of its greater potential to fall into the wrong hands. Without adequate security measures data could be exposed to unauthorized use, potentially disclosing trade secrets, confidential personnel records, and financial information.

Despite recent security breaches, consumers and businesses have attained a certain level of trust regarding online activity and interactions. Businesses must provide valuable, interactive services to their customers in order to compete. Consumers do not hesitate to provide financial information via their banks' Web sites, use Web applications to shop online, book flights via the Web, or access corporate intranets to communicate sensitive, internal information. Similarly, for many consumers, carrying around sensitive personal and business-related data on a wireless device has become a way of life--many simply can't imagine not having the information at their fingertips.

Tackling Security from the Beginning
Protecting customer data and information should be top priority for every organization, but many don't know where to start. The first step is to ensure that the wireless applications used are as secure as possible. Unfortunately, security is not always a priority during the application development lifecycle. Secure application development requires a constant balancing act between functional requirements and business drivers, deadlines and limited resources, and risk and flexibility. Security needs to be incorporated into all phases of the application development lifecycle. Developers must focus on the security risks inherent in the development process and apply security principles specific to the programming languages, operating systems, and technology they use.

Historically, businesses have held third-party software providers responsible for releasing unsafe applications. However, vulnerabilities in custom in-house applications are also common and pose significant risks to sensitive material such as consumers' personal financial information. Developers on both sides must design the appropriate security features--encryption, authentication, auditing--for the level of security required.

Developers should follow a few simple steps when designing wireless applications to greatly reduce security risks. In order to protect information housed on wireless devices, developers should consider requiring users to log in to the wireless application, which would eliminate non-user access to personal and business-related data. Developers should also limit the amount of time a wireless device can remain inactive without requiring users to log in again, or prompt users to reenter passwords at intervals. Developers should also consider limiting the amount of data the application retains in memory in order to reduce the amount of information that could be stolen.

Developers should familiarize themselves with secure coding techniques for the programming language and platform they use. Until recently, many of these techniques were not taught in higher education classes for software developers. Therefore, some software engineers may not know of these techniques and may develop code unaware that they might be creating potential problems. For example, there are standard pieces of the C/C++ programming language that are not secure and should be used with great caution or left out of the process altogether.

Common Vulnerabilities
There are several types of

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.