Mobile Web Security
One inherent security benefit of Web applications is that all or most of the data the application uses is stored on the server, thus mitigating the loss of sensitive data that might otherwise have been stored on the device if it is lost or stolen.
As mobile browsers become more sophisticated, however, they will become vulnerable to security exploits, and so may need to be updated as vendors issue new versions. Two fundamental security considerations are protecting the data stored on the Web server and protecting the customer's Web experience.
Transport security refers to the protection of communicated data. Although AT&T encrypts the radio link, data may travel over paths that are not encrypted such as through the Internet. Since most browsers support Secure Sockets Layer (SSL) or Transport Layer Security (TLS), securing communications is relatively straightforward. These security protocols are also compatible with SSL Virtual Private Network (VPN) concentrators, which organizations may already be using to secure remote access of their employees.
Another advantage of Web applications compared to using other application architectures is that many organizations have already configured their firewalls to allow HTTP traffic, simplifying firewall traversal.
One consideration in using SSL, however, is that SSL handshakes are somewhat verbose and not necessarily ideal for exchanges of small amounts of data.
In the case of BlackBerry applications, Web communication is via the connection to the BlackBerry Enterprise Server or the BlackBerry Internet Service, which is already a secure path making SSL unnecessary.
Web application developers should ensure their applications/sites are not vulnerable to various forms of attack. Some of these include:
Cross Site Request Forgery. This vulnerability exploits the trust that a site has for a user's browser. This is the opposite of XSS where the user's browser trusts the site. The vulnerability consists of a Web application that performs an action from an authenticated user without requiring user authorization, under the control of a third party, such as clicking on a malicious image.
Click Jacking. In this exploit, users are tricked into interacting with a "transparent" Web page, clicking on visible buttons, but performing actions on a hidden page.
Developers can enforce security via Secure Development Lifecycle processes, and by using application-aware intrusion-prevention systems or firewalls. In addition, Web application should validate all user input, should take advantage of Turing tests where appropriate, and make requests that are sensitive session dependent.