Mobile App Security – Application Security’s “Where’s Waldo”

As I have discussed in previous posts and at conferences, like OWASP AppSecUSA, while the number of attacks continue to increase, the attack techniques aren’t new at all. They are actually the same old attacks like SQL Injection showing up in new places including mobile application services and AJAX applications. Because these newer technologies have exploded in popularity and become more mainstream, we keep seeing these same old vulnerabilities popping up in new places. I always say its like Where’s Waldo, and we simply need to understand the new landscape and start looking for Waldo again.


Over the last several years, there has been a major evolution in how applications are being built with new underlying technologies, application architectures and data formats, but have application scanners evolved with them? These new technologies have grown at such a fast rate, we haven’t been able to keep up at either end. On one end, developers aren’t able to build these new applications securely because they are up against deadlines from the business and delivering on new technologies. And on the other end, web application scanners  were architected in the golden days of web application security when almost all web applications were static and relatively simple HTML pages. While scanners have never and will never cover all types of every web application, our belief is that they can and should cover as much as possible. Unfortunately, most application security scanners haven’t kept pace with the changing applications.


Over the next few weeks, I’ll be posting a series on these technologies and how developers, security professionals and application scanning vendors can help to close the coverage gap detailed above to improve both the efficiency (reduce manual efforts) and effectiveness (find more vulnerabilities) of security efforts.

By the way, a new beta version of our NTOSpider product is currently available. We believe its the only scanner that truly begins to address these newer technologies and formats like AMF, JSON and REST. But feel free to check it out for yourself. We welcome input and feedback.

In this series of posts, I’ll detail the technologies used in modern applications and demonstrate why they create challenges for modern web scanners. In addition, I’ll give you pointers on how you can determine if your application security scanners are effectively scanning and attacking these newer technologies.

We will discuss the following kinds of applications and technologies:

1. RIA & HTML5

  • AJAX applications: JSON (JQuery), REST, GWT (Google WebToolkit) ∙ Flash remoting: AMF
  • HTML5 applications (addressed in subsequent paper)

2. Mobile

  • Backends powered by JSON, REST and other custom formats

3. Web services

  • XML-RPC, SOAP (addressed in subsequent paper)

4. Challenging application workflows

  • Sequences: Shopping Cart and other strict processes ∙ XSRF/CSRF Tokens

If you would like to read the full whitepaper on this topic, you can download it here.

About Dan Kuykendall
Dan Kuykendall is the founder and co-CEO at the premier application security solutions provider NT OBJECTives, Inc. Throughout his career, Dan has helped develop advanced dynamic application security testing software, a fundamental aspect to NT OBJECTives’ reputation as a leader in comprehensive web application scanning. Dan has also worked for McAfee’s Foundstone and Fortis, where he founded the U.S. Information Security team. Connect with Dan on Google+

2 Comments on Mobile App Security – Application Security’s “Where’s Waldo”

  1. Mobile hacker // February 19, 2013 at 1:56 pm // Reply

    Saying mobile is just like a web app is not accurate. Yes, there are a lot of similar problems you see in web apps (server side JSON, REST, etc. However, mobile application security is probably more like client/server app security than web security. A lot more client side code is present on mobile apps that introduce more types of security problems.

    • You are correct, that it is more like client server app security, but the main point is that the basic sort of attacks such as SQL injection can still work once inserted into the (JSON, REST, etc) request and sent to the web server over HTTP. What happens with the request once it gets to the web server is very much like what happens when normal web traffic arrives. The inputs are parsed and used… often without the proper security scrubbing that is needed.

Leave a comment

Your email address will not be published.