Mobile devices and applications are everywhere. And we have seen tons of information, guides and what not on how to build successful businesses around the next big mobile application. There is even an article spreading around right now about how somebody learned how to program in 3 days and has released an amazing application. But as I am sure you knew I was going to say, security is not commonly thought about in the mad rush to deploy.
But that’s not what I wanted to discuss today. I want to dig into an idea that has been rattling around since I first read about a case in California regarding Uber and a sad event with one of their drivers. On New Year’s Eve, a driver hit three pedestrians and killed one of them; 6-year old Sofia Liu. No matter the outcome of the court cases, this is a horrible story. There is one part of the story that may be of interest to other application developers.
In the current civil case, it is alleged that Uber’s application used by the drivers is in violation of California law. The idea is that the application requires the driver to use the application while driving, but does not provide hands-free features. California makes the use of phones while driving illegal. (There is a recent case that determined that navigation applications are ok to use.)
So think about the applications your organization has released or is working on releasing. Have you considered legalities behind the application? Have you looked at the compliance requirements covering the application and data supporting it? Have you really looked at the security problems the application contains?
Security and compliance testing is a required part of any software development lifecycle and mobile applications push this even further. Why you ask? Simply due to their portability, combined with the business logic being pushed to the client device. This combination makes these great little applications critical to the security posture of your organization!
Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.