Over a million developers have joined DZone.

The Client Is Not Always Right!

In this article, the author explains explain why he thinks this question is a warning sign for an application security program.

· Mobile Zone

Visually compose APIs with easy-to-use tooling. Learn how IBM API Connect provides near-universal access to data and services both on-premises and in the cloud, brought to you in partnership with IBM.


I often get the question, “How well does your product handle iOS?” I’d like to explain why I think this question is a warning sign for an application security program.

An unfortunate part of my job is that sometimes I have to explain that people are focusing on the wrong objectives. Here’s my unfortunate dose of reality for today: We all need a perspective adjustment when it comes to “the client.” With Drumpf-esque powers of oversimplification, let’s start by envisioning that half of your apps are server code, and half client code, looking something like this:


Client apps could be native mobile APIs, traditional browser code, or classic thick clients that run on your desktop. I am not talking about mail clients, browsers, or stuff like that. From this perspective, it sure looks like Client Apps are half of your portfolio. It seems like you should spend an equal amount of resources securing them!

Well, I disagree.

Exhibit A: Clients Don’t Breach Widely

Most of the time, if a client is compromised, that particular client’s been compromised — not all the clients. So let’s look at our portfolio again, but this, time let’s overlay where all the breaches take place:

client-not-right-2.jpgSource: Every data breach study ever

In fact, here’s what the Verizon Data Breach Incident Report said about mobile specifically:

As with the 2015 report, compromises of mobile and Internet of Things devices are not a significant factor in the 2016 DBIR.

So, if the threats that justify our jobs are all focused on the server, shouldn’t we be, too? Shouldn’t you choose a vendor that does an A+ job on the stuff that matters instead of the vendor that does a C- job on everything? Choosing a product vendor because they “support” mobile is the really saying you care more about “checking the security box” for clients rather than actually, you know, securing stuff.

Exhibit B: “Mobile Threats” Are Still Mostly Server Threats

Take a look at the OWASP Mobile Top 10. Almost half of them are actually server problems. Take a look:

  • M1: Weak Server Side Controls. Obviously a server thing.
  • M3: Insufficient Transport Layer Protection. Yes, Virginia, the server should enforce transport security.
  • M5: Poor Authentication and Authorization. The server’s model of these is all that matters. Even if the client gets it wrong — what can the client do that really harms anyone if the server still enforces it correctly?
  • M9: Improper Session Handling. Same — who cares if you get this wrong? The data on the server is still the data to protect.

The others are still worth thinking about, for sure. It’s good to encrypt data at rest on your phone, for example. But, as part of a program, these risks must take a backseat to the server.

Exhibit C: The Tooling Ain’t Great

This is a tricky subject because it depends on the language of the client app — with widely varying quality available on the market. The best bet for analyzing any client side code is using BlueClosure (formerly DOMinator from Minded Security) — an IAST (Interactive Application Security Testing) tool for analyzing client-side JavaScript. For JavaScript, the rest of the market is really super-grep.

For native mobile apps, there are some vendors who use cool instrumentation technology to find intentionally malicious apps — but they don’t find much in the way of custom code vulnerabilities that can really hurt your organization.

Closing Arguments

Certainly there are issues in client-side applications. Even though a client issue only compromises one single client, in extreme situations, that’s all it takes to make the impact of a vulnerability truly critical.

I would also never say you can outright ignore the client. It’s hard to build a culture of security if it’s only security sometimes or security some places. However, we should stay focused on the types of flaws that can be really harmful — which, thankfully, there aren’t many of in the client.

The Mobile Zone is brought to you in partnership with Strongloop and IBM.  Visually compose APIs with easy-to-use tooling. Learn how IBM API Connect provides near-universal access to data and services both on-premises and in the cloud.


Published at DZone with permission of Jeff Williams, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}