Authors: Dominic Chell, Tyrone Erasmus, Shaun Colley and Ollie Whitehouse
Aimed at: mobile developers
Reviewed by: Kay Ewbank
Covering how to write apps that don’t fall foul of vulnerabilities, a more accurate title would be the mobile apps anti-hacker’s handbook.
he problem of having a book that covers all the major platforms - Android, iOS, Windows Phone and Blackberry - is that few developers are likely to be writing for all the platforms, so how much of the book is useful will vary. The authors describe it as four books in one. In each case, you’re shown how to perform a mobile application security assessment, starting with how to go about the analysis, then looking at potential vulnerabilities, and finally telling you what to do to make your app safer.
The book starts with a general overview of security in mobile applications. The authors point out that most mobile apps perform some kind of data access across networks, so present would-be hackers with a range of vulnerable layers and rich pickings if the attack is successful. Along with analysis of the main attack surfaces, there’s a useful overview of the security resources you might use to assess the vulnerabilities of your own apps.
From this point onwards the book splits into different parts each aimed at a specific mobile environment, starting with iOS. There’s a chapter analyzing iOS apps that looks at the security on iOS and how those features have been circumvented through jailbreaking. The authors describe concepts such as the data protection API and the keychain. There’s a good section on building a test environment that you can use to build, test and explore iOS apps. The next chapter looks at attacking iOS apps, and more particularly the techniques that might be used such as SQL inject, XML external entity injection, and the insecurities of the Inter Process Communication used to transmit data between apps on the same device.
Chapter 4 describes how you can audit iOS apps for vulnerabilities in the way the device’s address book, geolocation frameworks and logging system are used. There’s also some interesting stuff on how residual data can expose content such as snapshots, web view information and pasteboards. The final chapter in the iOS section covers what you can do to make sure your iOS apps are more secure. Topics include securely implementing encryption, erasing data, and embedding protection.
Android is the next platform to be covered, followed by Windows Phone and Blackberry. In each case there are similar chapters to the iOS ones – analyzing apps, attacking apps, implementation issues and writing secure apps - with material specific to the particular platform.
The book ends with a chapter on cross platform apps that looks at how such apps usually are web apps with a bridge to local resources, and the way the bridge is the weak point.
The authors have done a good job on giving a thorough grounding on the security model of each of the platforms, along with how apps fit in those models. Not being a hacker, I can’t really comment on whether they’ve covered all the weak points, but they certainly gave a lot of interesting things to avoid and some guidance on ways towards writing safe applications.
To keep up with our coverage of books for programmers, follow @bookwatchiprog on Twitter or subscribe to I Programmer's Books RSS feed for each day's new addition to Book Watch and for new reviews.