Mobile sites - Resurrecting security risks
In today's world any self respecting web site must provide access to its services through a desktop browser as well as a mobile device. This basically means that there are two versions to every site, one for desktop users and one for mobile users. Are both secure? How do we know for sure?
First, let's take a quick look at some of the reasons why companies would prefer to have mobile users visit a mobile-based site instead of directing them to the original desktop site.
- Technologies - There are certain technologies that are not supported on a mobile device (e.g. Flash on iOS) that would have to be re-designed to meet smartphone requirements.
- User experience - The user experience is completely different. For example, take the hover action, a desktop user can hover over a certain area and have menus sliding this way and that. But on a mobile device hovering does not exist.
Scanning mobile sites for vulnerabilities
So now that the web site has been re-written, QA-ed and launched, aren't we forgetting something?
Could it be that our secure desktop site has been replicated to an unsecure mobile site? It sure can!
There a few ways to go about testing the mobile site for vulnerabilities.
A SAST solution, like IBM Security AppScan Source, would test the security of the code itself.
A DAST solution, like IBM Security AppScan Standard, would dynamically probe, scan and test the site for vulnerabilities.
It's super easy to scan the new mobile site using a DAST solution. All you have to do is emulate a mobile browser. How do we do that? We mock the User-Agent header in IBM Security AppScan Standard to a value just like a mobile browser.
You can choose from a list of possible User-Agent values or you can create your own. See screenshot below.
But I don't wanna scan my site...
It is very critical to secure your mobile sites. If your company offers a certain service both through a desktop site and a mobile site, the back-end of those two sites is probably the same.
That means that if the desktop site is secure but the mobile site is not, the back-end is at risk. Databases can be hacked into, user credentials are at risk, account information and so on and so forth, you know the risks...
Not securing your mobile site is like wasting the money and time you had already put into securing your desktop site. As long as your mobile site is unsecure, you are at risk.
Think of your freshly launched mobile site like going back to square one. It's practically like starting the process of securing your site from the beginning.
Just scan it and get it over with. Don't say we didn't warn you..!