App servers potential threat to mobile landscape

Compared with Web servers, systems used to run mobile apps require more compute power and give users more access to previously off-limits data, notes security expert, who warns these developments open up more security vulnerabilities.
Written by Kevin Kwang, Contributor

While both Web and app servers face pressing security issues, the latter is increasingly in the firing line as more users are now utilizing mobile devices to access apps. The risk is further exacerbated due to the fact that technologies behind app servers are more complex, cautioned a security executive.

According to Jonathan Andresen, technology evangelist at Blue Coat Systems Asia-Pacific, there are two factors behind the security challenges presented by app servers. First, the two-way communication between the user and the app server has intensified. This can result in users unknowingly "uploading" malicious content to an app server that is not protected, Andresen said in an e-mail.

Second, compared with Web servers, app servers need more CPU power, he said, noting that this makes app servers more vulnerable to denial-of-service (DoS) attacks.

These two factors, combined with a rise in threats targeting mobile devices, put app servers in an "especially challenging" position, he said.

Another security player agreed with Andresen's observation.

Paul Oliveria, technical marketing researcher at Trend Micro, noted that many apps today are essentially "mini browsers" in which they gather user input, send it to a server and display the results for users to view.

Oliveria explained: "These [app] servers are vulnerable to all the usual attacks that traditional Web servers are vulnerable to, and in fact, probably more so."

He pointed out that "almost anyone" can now develop an application and sell it. In the case of Google Android apps, for example, interested developers can simply submit an application form, pay US$25 and start developing apps.

Given the scenario, and for a relatively small investment required from the developers, he questioned whether these developers would be as committed, compared with more established developers, to beefing up their app server security.

To combat potential threat to app servers, Oliveria reckoned that any good and reputable developer would expect users to behave in unpredictable ways and code apps to restrict the type of information sent by users to the app server.

He also called on developers to pay attention to securing their server-side infrastructure which can be accessed not only via an app, but also through a Web browser or direct network connection.

Paul Ducklin, head of technology at Sophos Asia-Pacific, added that less is more with regard to the amount of information users should be allowed to access via app servers.

He noted that a traditional Web server is set up to help a company get as many people as possible to visit its corporate Web site and learn about its operations, but the Web administrator will only put up information that the company wants the public to see.

App servers, however, often give public access to information that is traditionally not made available to users outside the company, Ducklin noted.

"So developers need to ensure that when they make it easier for users to access the app servers [for more information], they don't open up too much or they may experience their personal 'Wikileaks moment'," he warned.

Andresen recommended deploying purpose-built security appliances such as application firewalls as a best practice to secure app servers. He explained that adding another layer in front of the application server would ensure security is not compromised, regardless of whether coding for the application is secure or not.

He also zoomed in on social networking apps, noting that with over 30 billion pieces of content such as Web links, blog posts and photos, shared on these platforms each month, it is "extremely difficult for application vendors to detect malicious content uploaded by users".

In this landscape, it would not be viable for mobile users to deploy a complete PC-centric security tool on devices that have limited processing abilities, Andresen added.

"What users need is a lightweight browsing capability that can leverage the processing capabilities of a user-driven cloud network [to filter, validate and secure Web content delivered to mobile devices]," he surmised.

Editorial standards