AT&T Developer
  • Products
  • Resources
  • Blog
  • Sign In

Technical Library

    Device Technologies
    • Biometrics
    • Device Detection
    • HTML5
    • Mobile Web Fundamentals
    • Mobile Web Standards
    • Multi Core Coding in Dalvik
    • Multi Thread Coding in Android
    • Near Field Communication
    • NFC Forum
    • NFC Use Cases
    • NFC Case Studies
    • NFC Tags
    • GlobalPlatform and NFC
    • User Identification
    • Native Code
    Security and Privacy
    • Application Privacy Guidelines
    • Downloading DRM Content in Android
    • IPv6
    • Likelihood of a Successful Attack
    • Messaging Privacy
    • Mobile Web Security
    • Network Security
    • Security Policy
    • Security at AT&T
    • Types of Security Threats
    • Wireless Application Security
    • Security Policy Enforcement
    UI Elements
    • Slider Controls for Android
    • Check Box for Android
    • Dropdown for Android
    • Image Button for Android
    • Toggle Button for Android
    • Radio Button for Android
    • Segmented Text Toggle Button for Android
    • Static Text Toggle Button for Android
    • Switch for Android
    • Text Fields for Android
    • Getting Started with AT&T UI
    • HTML5 UI Elements
    • HTML5 Checkboxes
    • HTML5 Dropdown
    • HTML5 Image Button
    • HTML5 Image Toggle Button
    • HTML5 Radio Button
    • HTML5 Segmented Toggle Button
    • HTML5 Slider
    • HTML5 Static Text Toggle Button
    • HTML5 Switch Control
    • HTML5 Text Fields
    Network Technologies
    • IP Addresses
    • Long Term Evolution (LTE)
    • Network Timers
    • Wi-Fi
  • Other AT&T Websites
    • Best Practices
    • Hackathon Best Practices
    • Mobile Best Practices
    • Seven Common Errors Around Creating Mobile User Experiences
toggle menu

Mobile Web Security

 

One inherent security benefit of Web applications is that all or most of the data the application uses is stored on the server, thus mitigating the loss of sensitive data that might otherwise have been stored on the device if it is lost or stolen.

As mobile browsers become more sophisticated, however, they will become vulnerable to security exploits, and so may need to be updated as vendors issue new versions. Two fundamental security considerations are protecting the data stored on the Web server and protecting the customer's Web experience.

 

Transport Security

 

Transport security refers to the protection of communicated data. Although AT&T encrypts the radio link, data may travel over paths that are not encrypted such as through the Internet. Since most browsers support Secure Sockets Layer (SSL) or Transport Layer Security (TLS), securing communications is relatively straightforward. These security protocols are also compatible with SSL Virtual Private Network (VPN) concentrators, which organizations may already be using to secure remote access of their employees.

Another advantage of Web applications compared to using other application architectures is that many organizations have already configured their firewalls to allow HTTP traffic, simplifying firewall traversal.

One consideration in using SSL, however, is that SSL handshakes are somewhat verbose and not necessarily ideal for exchanges of small amounts of data.

In the case of BlackBerry applications, Web communication is via the connection to the BlackBerry Enterprise Server or the BlackBerry Internet Service, which is already a secure path making SSL unnecessary.

 

Application-Level Security

 

Web application developers should ensure their applications/sites are not vulnerable to various forms of attack. Some of these include:

Cross Site Scripting (XSS). Vulnerabilities emerge when unescaped user data, such as malicious JavaScript, is included in HTML output. These vulnerabilities can be non-persistent (payload echoed in an immediate response), persistent (payload stored in the vulnerable system for later embedding in an HTML page sent to a user) or DOM-based (content stored in local Document Object Model and later reinterpreted as HTML that includes malicious script).

Cross Site Request Forgery. This vulnerability exploits the trust that a site has for a user's browser. This is the opposite of XSS where the user's browser trusts the site. The vulnerability consists of a Web application that performs an action from an authenticated user without requiring user authorization, under the control of a third party, such as clicking on a malicious image.

Click Jacking. In this exploit, users are tricked into interacting with a "transparent" Web page, clicking on visible buttons, but performing actions on a hidden page.

Developers can enforce security via Secure Development Lifecycle processes, and by using application-aware intrusion-prevention systems or firewalls. In addition, Web application should validate all user input, should take advantage of Turing tests where appropriate, and make requests that are sensitive session dependent.

Back To Top
  • APIS & TOOLS
    • AT&T Video Optimizer
  • APIS & TOOLS
    • Futurist Reports
    • Technical Library
  • SUPPORT
    • Contact Us
    • FAQs
    • Twitter
  • AT&T Developer Program on Github
  • AT&T Developer Program on Facebook
  • AT&T Developer Program on Twitter
AT&T Logo

Terms of Use   Privacy Policy   Your Privacy Choices California Consumer Privacy Act (CCPA) Opt-Out Icon
©2024 AT&T Intellectual Property. All rights reserved

AT&T, the AT&T logo and all other AT&T marks contained herein are trademark of AT&T Intellectual Property and/or AT&T affiliated companies.

14100000
Session Expiring

Your session is about to expire in !

Stay Signed In
Session Expired

Sorry! Your session has expired.

Skip to content