Opinion by Kenneth van Wyk

Kenneth van Wyk: Where mobile apps go wrong

More so than Web-based applications, mobile apps tend to have security design flaws that attackers can exploit

Mobile apps aren't just fun. They speak volumes about your system's overall security architecture, and they may well reveal defects that can hurt your company -- and that's no fun at all. How can that be?

For starters, we're seeing more and more serious business apps showing up on mobile platforms like Android and iOS. For the most part, those mobile apps are complementing companies' existing Web-based applications, especially for consumer-facing sorts of functions.

A primary difference between most Web apps and most mobile apps lies in what companies put into consumers' hands. With Web apps, there is of course the HTML, JavaScript and whatever other technical components the company deploys. In the majority of situations, the client code makes up the presentation layer and much of the user interface elements. That is, not much actual business logic is implemented in the client-side "footprint."

Mobile apps quite often change that around, at least to some degree. On Android, mobile apps are generally coded using Java, and on iOS in Objective C. Both of these languages are capable of significant processing functionality. (That's not to denigrate the capabilities of JavaScript and other client-side active content.)

As a result, mobile apps often perform more functions than just presentation-layer aesthetics. That's where the risks can hide.

On Android, it's quite feasible to decompile Java class files, even those built for the Davlik JVM (which is a bit different from a more traditional JVM). Similarly, reverse-engineering iOS apps is actually quite easy, even those that are protected via encryption on Apple's App Store.

To continue reading this article register now

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon