In this interview, Alan Crouch, a senior software security specialist with Coveros, discusses the importance of security testing applications on mobile devices, as well as the challenges that come along with working on the many different mobile means available.
Josiah Renaudin: Today I'm joined by Alan Crouch, a senior software security specialist with Coveros and a speaker at the upcoming Mobile Dev + Test conference. Alan, thank you very much for joining us.
Alan Crouch: Thanks for having me.
Josiah Renaudin: No problem at all. First, could you tell us a bit about your experience in the industry?
Alan Crouch: I graduated from James Madison University with a master's in secure software engineering in 2008. Since then, I've worked consulting for both the federal government and commercial business in information security services. Within the past four years specifically, I worked with several companies working in testing mobile applications. That includes anywhere from just standard application testing to security testing as well.
Josiah Renaudin: You just mentioned mobile, so I kind of want to know a bit … This question relates to your discussion at Mobile Dev + Test. What makes mobile data storage different than, say, what we've seen on PCs in the past?
Alan Crouch: Mobile operating systems handle data storage and privilege escalation slightly differently than your PC. It uses something called the sandbox model to separate data from one application and another application so that ideally, one application's data or changes don't affect another application. While there's some shared spaces between the apps, the intention is to provide as much data privacy and protection to apps as possible.
Josiah Renaudin: A unique challenge that comes along with mobile security is everyone's carrying their phones around all the time. Some people have codes attached to them, some people don't. Can you name a few of the factors that make mobile security so interesting, so unique, and so challenging?
Alan Crouch: Probably the biggest one is that the mobile devices that we have and carry around, there are so many different types, different hardware, and most of those come with varying degrees of operating systems and vulnerabilities associated with each of those. For example, Android phones have the longest or the largest amount of varying operating systems installed across all the Android phones from all the different carriers. So AT&T may be using four different versions of the Android L app or Verizon might be using four entirely different versions. Being able to test for all those different platforms and all those different operating systems is quite a challenge for any mobile security tester.
Josiah Renaudin: When and where should security testing be done for these mobile apps?
Alan Crouch: Security testing starts as early as building out the requirement—that's where the activities that most people forget to do happen, such as direct modeling. Security testing continues throughout the mobile SDLC when we do our coding and our testing. Ideally a lot of it takes place up front, but there's going to be security testing you do throughout the entire lifecycle.
Josiah Renaudin: Since mobile is still relatively new, do you think enough developers understand how to create a secure mobile application? People have been working with PCs and different devices like that for quite some time, but mobile's still relatively new. Is it going to be a learning process or is this something we need to know right now?