June 09, 2010
4 Lessons from the AT&T/Apple Data Breach for Smartphone App Developers
By Dan CornellThe recent AT&T / Apple data breach involving iPad 3G customers echoes some lessons we’ve been discussing with our customers deploying smartphone applications. Based on a read of the info from Goatse Security as reported by Gawker we see similar themes.
In summary the author lists:
- Authentication and Authorization Are Crucial for Services Deployed to Support Smartphone Applications
- Do Not Authenticate Requests with Values that Look Random But Aren’t
- Never Trust Anything in an Attacker-Controlled Request (Especially User-Agent Headers)
- Don’t Trust Your Service Providers; Test Them
It is written with more of a focus on security, but the technical aspects are correct for this situation. However going deeper from here the whole issue of privacy is much greater than just the application of security. I sound like Schneier.