Book Review: Mobile Application Security
Mobile Application Security is a super technical book. The authors are three mobile security veterans from iSec Partners, a reputable mobile security services company with several mobile 0days and Blackhat talks. They focus on the mobile threat landscape from a developer’s perspective; shedding light on mobile development security concepts and secure coding tips that most developers overlook. The book is split into two main parts, one describing the security architecture for the different mobile platforms and how it can be used to develop secure mobile applications, and the other illustrating some of the common mobile services, their attack vectors, history of attacks, and the lessons learned from them.
The first part :
starts with enumerating some of the generic top mobile security issues and solutions such as application isolation issues, transport layer security issues, physical security issues and privacy issues. Then, the authors dive into the platform specific security architectures and features’ details. Starting with Android, to iPhone, Windows Mobile, Blackberry, J2ME, Symbian, and ending with WebOS; they offer a comprehensive overview of core security components and security features of OS components; detailing how they work and how they can be used by a developer. Components described include: inter-process communication mechanisms, background services, storage access, notifications, application permissions, clipboard access, sockets, web networking, application updating, signing and packaging. At the end of some chapters, a bullet-styled conclusion provides the reader with actionable development tips for a specific platform which I find very useful and would comprise a great coding security checklist for developers.
In the second :
part, the authors explore some common services introduced by the prevalence of mobiles that need special care from a security and privacy point of view. The services described include SMS, bluetooth and geolocation services. In addition, the authors dedicate a chapter to introduce enterprise mobile security concepts and practices for building secure enterprise enabled mobile applications.
At the end of the book :
the appendices provide excellent tangents with one appendix on the anatomy of major mobile malware outbreaks and the other detailing tools that can be used in mobile security testing, static and dynamic analysis, fuzzing, and network manipulation.
As expected from a developer oriented book, it is coherently written with a formal scientific style that is sometimes mixed with technical whimsy. The language of writing is very clear and unambiguous. Very often code snippets and detailed command line steps are included to elaborate the secure way of developing a certain feature or using some tool. Also, having vast knowledge of community driven available tools, the authors provide instructions and links to related tools on many occasions; which I find to be a big advantage since quality tools in this area are scarce and hard to find.
On the downside :
although the book covers Android, Blackberry, iOS and Windows Mobile application security practices very thoroughly, the 2010 publishing date means that it’s missing some of the most recent changes in the covered platforms. For example, the book was published before Blackberry v10 and Windows Phone v8 were released, so the book does not include information on them. Also, major security enhancements have been added to iOS v7 and Android v4.4 which were also released after the publishing date. However, the book offers a solid understanding of concepts and practices that, with adequate research, could be extrapolated and applied to more modern versions. Additionally, the book lacks differential analysis. There is no comparative background tone through most parts, so it’s left to the reader to identify the differences between the security implementation and features of the discussed platforms.
Overall, I think it is a very good read. The guidance of this book has helped me better shape a unified methodology for mobile application security assessment and penetration testing. I strongly recommend it for developers of security-critical mobile applications and mobile application penetration testers.
About The Author
Ahmed Saafan, Senior Application Security and Data Protection Consultant