App devs, servers create security woes

Application servers are in the firing line as the technology behind them become more complex and more users access apps with mobile devices, security professionals say.

Application servers are in the firing line as the technology behind them become more complex and more users access apps with mobile devices, security professionals say.

According to Jonathan Andresen, technology evangelist at Blue Coat Systems Asia-Pacific, there are two factors behind the security challenges presented by app servers. First, the two-way communication between the user and the app server has intensified. This can result in users unknowingly "uploading" malicious content to an app server that is not protected, Andresen said in an email.

Second, compared with web servers, app servers need more CPU power, noting that this makes app servers more vulnerable to denial-of-service (DoS) attacks, he said.

According to Andresen, these combined with a rise in threats targeting mobile devices put app servers in an "especially challenging" position.

Paul Oliveria, technical marketing researcher at Trend Micro, said many apps today are essentially "mini browsers".

"These [app] servers are vulnerable to all the usual attacks that traditional web servers are vulnerable to, and in fact, probably more so."

He pointed out that "almost anyone" can now develop an application and sell it. In the case of Google Android apps, interested developers can simply submit an application form, pay US$25 and start developing apps.

Considering the small investment required to build an app, he questioned whether these developers would be committed to beefing up app server security.

To combat potential threats to app servers, Oliveria thought that competent and reputable developers would expect users to behave in unpredictable ways and code apps to restrict the type of information sent by users to the app server.

He also called on developers to pay attention to securing their server-side infrastructure, which can be accessed not only via an app but also through a web browser or direct network connection.

Paul Ducklin, head of technology at Sophos Asia-Pacific, added that less is more with regard to the amount of information users should be allowed to access via app servers.

He noted that a traditional web server is set up to help a company get as many people as possible to visit its corporate website and learn about its operations, but the web administrator will only put up information that the company wants the public to see.

App servers, however, often give public access to information that is traditionally not made available to users outside the company, Ducklin noted.

"So developers need to ensure that when they make it easier for users to access the app servers [for more information], they don't open up too much or they may experience their personal 'Wikileaks moment'," he said.

Andresen recommended deploying purpose-built security appliances such as application firewalls as a best practice to secure app servers. He explained that adding another layer in front of the application server would ensure security is not compromised, regardless of whether coding for the application is secure or not.

He also zoomed in on social networking apps, noting that with over 30 billion pieces of content such as web links, blog posts and photos shared on these platforms each month, it is "extremely difficult for application vendors to detect malicious content uploaded by users".

In this landscape, it would not be viable for mobile users to deploy a complete PC-centric security tool on devices that have limited processing abilities, Andresen added.

"What users need is a lightweight browsing capability that can leverage the processing capabilities of a user-driven cloud network [to filter, validate and secure web content delivered to mobile devices]," he said.

Via ZDNet Asia