Bad coding to blame for security 'glitches' in Apps

There is no reason why applications can't be built securely but often they are not, BSI Cyber Security principal consultant Martin Pill told SC Media UK

Martin Pill, principal consultant at BSI Cyber Security, was explaining a particular vulnerability that he found repeating. Online shopping site apps often coame with a glitch where the person monitoring the website cancould not control the prices of the goods going into the basket.

The cause, he said, was bad coding.

Financial services apps also had another recurring issue, said the veteran security professional. 

Suppose you were logging onto your bank and you want to look at your bank statements, which will come in as PDFs. You get a URL link that leads to a number, which is related to the PDF. Altering that number would actually give you somebody else’s bank statement. The app should essentially verify the request for the document and block it if the account does not match the user credentials.

"Developers don’t always code the application to check whether each request coming in is authorised," he said. 

He found that vulnerability in many apps during pre-launch tests. "Had that (fix) waited till the application was launched, that could’ve been a disaster for them."

Chinks in the app

According to surveys conducted among information security professionals two major conferences held recently, they consider customer-facing web applications are the biggest security concern.

"There is no reason why applications can’t be built securely," said Pill. 

But often they are (unsecured). There are a lot of cases where there is no encryption between the application and the service they are opening into. So interception is easy. Most of the vulnerabilities that are found during penetration testing are well-known, and could be avoided in the initial stage itself, he said.

"A lot of developers are very good at making apps that are functional but they don’t have the culture of building security in the standard," said Pill.

Threat from outside

Third-party app management that has administrative access can be a weak point. SC Media UK reported this month that cyber-attacks in the UK financial service sector went up 1,000 percent since 2017, with third-party failures involved in 21 percent of incidents.

"Some organisations don’t realise that if they commission an application from a third party, it might not necessarily be secure. They should see to it that security comes as part of the package," he said. 

However, this does not mean that in-house apps are inherently secure. IT and developers are very good at creating something that functions well, but they might not be aware of the good practice in security, he noted.

"Also, suppliers can be seen as a way of getting to the client. So If you’ve got a client who’s got some high-value information with security systems are pretty good, but has a supplier who connects to their system and has weaker security, then we can compromise the supplier to access the client." 

Value, not cost

Several industry reports have blamed the lack of budget for rudimentary security measure in the apps. "It is a question of balancing the cost versus the value," he said. Often times the cost of fixing a damage is much higher than the cost of testing for possible loopholes.

"It is much cheaper and easier to build security in than to build an app and then add security measures afterwards," he said. "Also, it is often less secure if you try to build security in afterwards."

Unlike the common notion, usability of the app is not the factor which prompts the developer to compromise on security. "For example, if you are storing a password on the system, the user doesn’t know whether it’s encrypted or not. It is a security decision. If the passwords are stored in text, anyone hacking the system will have them. The user never sees most of the security measures."

However, avoiding apps would be detrimental for the business these days. If there is an app on the phone, the user is more likely to go and click it rather than entering a URL address in a browser, he said.

 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews