FTC Invites Further Public Comment on Mobile Security #00012

Submission Number:
Andrew Hoog
Initiative Name:
FTC Invites Further Public Comment on Mobile Security
Matter Number:


I'm CEO and co-founder of viaForensics, a company headquartered in Oak Park, IL, focused on mobile security. Since 2009, our company has published original research, created developer tools, and marketed consumer apps all geared toward making the mobile ecosystem a safer, more secure environment. As such, I believe we are in a unique position to help the FTC explore issues raised by the 2013 forum examining the state of mobile security. Secure Development Practices In a hugely competitive marketplace with great profit potential, speed-to-market often trumps security. Our own studies have shown that over 60% of apps on the market contain vulnerabilities that put consumers at risk. Additionally, mobile devices contain a staggering amount of data - from how we communicate (call logs, contacts, sms messages and email) to who we communicate with (contacts lists, social media accounts), to where we are and how we live (GPS tracking, browser history) and much more. Developers can tap into much of this data with ease, but unless their applications are secure they could be unknowingly leaking highly confidential user data to attackers. To help developers build more secure apps, we created viaLab (https://viaforensics.com/products/vialab/), a comprehensive mobile application assessment suite that automates the process of identifying risks and vulnerabilities in both custom and third-party mobile apps. viaLab performs data extraction and analysis to show how sensitive info is stored and whether it is encrypted. It also analyzes network traffic and executes man-in-the-middle, SSL Proxy, and other common attacks to test app vulnerability. In addition, viaLab reverse engineers the binary code to detect flaws, analyzes app permissions and tests the strength of an app's authentication methods. Beyond identifying a host of vulnerabilities, the tool also recommends fixes. We’ve also published the report "42+ Secure Mobile Development Best Practices" (https://viaforensics.com/resources/reports/best-practices-ios-android-se...). This free document defines best practices to avoid many of the most common mistakes we see app developers make. It covers everything from understanding how NAND flash memory works, to how to fully validate SSL certificates, to implementing secure data storage. Most common vulnerabilities we encounter are highly preventable if proper, secure development is implemented early in the Systems Development Life Cycle (SDLC). We maintain this document to help companies make more secure apps and contribute to a safer mobile experience for everyone. The reality, however, is that until there is greater pressure on developers to take security more seriously, many apps will continue to put users at risk. With no watchdog body to assess app security, consumers must educate themselves and be vigilant about what apps they put on their devices. Until recently, this was difficult for the average mobile user with limited tech knowledge. Mobile security software to date has largely consisted of malware detection (much of it ineffective due to sandboxing). While malware remains a concern, the much greater threat to consumers comes through data leakage due to unsecured apps. We created viaProtect (https://viaforensics.com/products/viaprotect/) to help consumers understand what their apps are really doing. The product shows what organizations an app is communicating with, what countries data is being sent to, what percentage of their traffic is encrypted, and more. By providing greater transparency about which apps may be putting them at risk, viaProtect allows consumers to make educated decisions about which apps to keep on their devices. We applaud the FTC for taking the issue of mobile security seriously. With the explosive growth of the mobile marketplace and the evolution of the BYOD workplace, we believe it's an issue that will impact an increasing number of American citizens well into the future.