Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Lessons learned from web mobile application vulnerabilities

Veracode : 23 February, 2015  (Special Report)
Adrian Beck of Veracode looks back at some of the main data breach incidents of 2014 and explains what could be done to prevent them
Lessons learned from web mobile application vulnerabilities

2014 was awash with data breach stories. Take the nightmare of the Sony Pictures Entertainment breach, which resulted in a haemorrhage of highly sensitive private information and a mass of confidential emails being leaked.  Even if you didn’t care for the onslaught of tabloid headlines they succumbed to, the reported $100 million in costs that Sony face as a result of this demonstrates the severity of this incident.

However, it shouldn’t take incidents of such a large scale to show the serious implications of security vulnerabilities. No data is inconsequential in our ‘information age’. Because of this, digital security is more crucial than ever before.

As we are all well aware, hackers are growing more sophisticated than ever in their methods of attack. Allowing access to even the least “critical” data that we store on our smartphones or enter into web applications can have serious implications.


Whether you’re an avid Snapchat user, or are just interested in application security, you won’t have missed the news of the 4.6 million users whose usernames and phone numbers were leaked earlier this year. Furthermore, you probably saw the publicity hit which Snapchat took from many security enthusiasts and users alike for the security measures that allowed this to occur in the first place.

The point is not just to criticise Snapchat here but to reinforce the point that all data is of the upmost importance- especially when the end-user is involved. Phone numbers and usernames may not seem like a big deal to users, who routinely allow access to such information to the numerous apps installed on their devices. But when in the wrong hands, this data can be used against the user with damaging affect – for example by motivated hackers, identity thieves and even stalkers!  Applications such as Snapchat are usually not built with security in mind but can turn into gold mines of personal data when security vulnerabilities are found and exploited. Judging from the backlash Snapchat faced from this incident it is safe to say that this is one flaw that developers had wished they’d unearthed prior to the discovery.

The Starbucks App

A recently discovered flaw in Starbucks’ iOS app is another alarming case of a widely used application running with serious security issues. Although it not known to have been exploited by cybercriminals, this vulnerability is notable because of two major factors: ease of access and lack of encryption. Prior to patching, hackers with direct access to a given iPhone or iPad  had potential access to Starbucks’ customers usernames, passwords and credit card details that were stored on the device. All the hacker would have to do was to plug the hardware into a computer to see it in an unencrypted text file.

Storing such sensitive information – especially credit card information - under anything but lock-and-key measures is not acceptable.  Applications which handle sensitive data must have robust encryption measures and proper data access management practices.

Fortunately Starbucks were able to act swiftly to issue a fix to the flaw before any major damage was done, but this vulnerability is another important lesson on the perils of mobile application security.

Home Depot

Moving away from mobile application vulnerabilities, there is the Home Depot breach which exposed a whopping 50million Home Depot customers’ email addresses and payment information. Like the infamous Target breach in 2014, this hack started with the abuse of third-party credentials. The attackers used these credentials to get an initial foothold in the organisation, and then exploited an unpatched Windows server to gain entry into self-checkout machines and the huge swathes of information stored therein.

This breach highlights how critical third-party management is when it comes to information security. There is no such thing as a minor point of access because attackers can exploit all routes in to your organisation to cause widespread damage. Security measures should be front of mind when working with a third-party provider.

In closing

Three very different examples, involving three very different organisations-- but the common message is that complacency when it comes to application security is no longer an option. Modern applications store vast amounts of sensitive data, which in the wrong hands can have serious implications for individuals, such as identity theft and spear phishing attacks. As a result there are major repercussions for organisations who fail to take the appropriate measures to protect this data. Whether it be through an internally developed mobile application, an application developed on an enterprise’s behalf or through a third party supplier,  cyber criminals are looking for even the most minor points of access to exploit— sometimes resulting in the floodgates opening!

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo