In a statement, Veracode said it was accepting submissions of mobile applications for testing for all mobile platforms and will expand its service to cover Google’s Android OS in the first quarter, 2011 and applications running on Apple’s iOS operating system in the second quarter, 2011.
Mobile applications have proven to be an Achilles heel for mobile device makers like Google and Apple, which have built robust security features into their mobile operating systems. In the last year, stories about malicious or grey ware applications sneaking onto official and third party application marketplaces have revealed blindspots in the processes for auditing application submissions.
While firms like Apple do cursory application reviews prior to releasing new applications to its Appstore, others – including Google – decline to do per-app reviews prior to posting the applications, though they will remove applications from its marketplace that violate its policies. Veracode is positioning its service as an intermediary between development and the market for firms concerned about the security of their applications and interested in independent evaluations of their security.
Veracode also released a “Mobile App Top 10 List,” akin to the OWASP Top 10, to focus industry attention on the most common mobile vulnerabilities and malicious functionalities. In a statement, Veracode CTO Chris Wysopal said that standards for mobile applications lag those of Web applications, where groups like OWASP have made headway by calling attention to common Web application holes.
“In the mobile app market, we see both inadvertent coding errors and intentiona, malicious code as security culprits,” Wysopal said. The Mobile App Top 10 is designed to make it easier for organizations to vet mobile apps and by mobile application security providers.
Among the suspect or malicious features Veracode points out on its Top 10 list: remote monitoring and surreptitious dialing or texting (usually to premium rate numbers.) Inadequate or insecure data storage and hard coded passwords are among the most common vulnerabilities in mobile devices, the company said.
CLARIFICATION: The first paragraph of this story was altered to indicate that Veracode was expanding its service to include Apple iOS and Google Android. The firm already offered application testing for Blackberry RIM and Windows Mobile devices. The second paragraph was altered to indicate that the Android service will be available in Q1, not Q2.