Thursday, 10 June 2010

Lessons for SmartPhone Developers

Coming after Apple/iPad/AT&T email leak is this interesting article from the Denim Group:

June 09, 2010

4 Lessons from the AT&T/Apple Data Breach for Smartphone App Developers

The recent AT&T / Apple data breach involving iPad 3G customers echoes some lessons we’ve been discussing with our customers deploying smartphone applications.  Based on a read of the info from Goatse Security as reported by Gawker we see similar themes.

In summary the author lists:

  • Authentication and Authorization Are Crucial for Services Deployed to Support Smartphone Applications
  • Do Not Authenticate Requests with Values that Look Random But Aren’t
  • Never Trust Anything in an Attacker-Controlled Request (Especially User-Agent Headers)
  • Don’t Trust Your Service Providers; Test Them

It is written with more of a focus on security, but the technical aspects are correct for this situation. However going deeper from here the whole issue of privacy is much greater than just the application of security. I sound like Schneier.

No comments: