Apps are everywhere and on a wide range of devices. Most often applications are found on personal computers, tablets and mobile phones, but many apps store user data in the cloud. This comes with many advantages, including data being instantly synchronized between multiple devices and transferred from the cloud-based server when replacing an old device with a new one. This saves users the trouble of thinking about their data, which means the users are adapting to this level of convenience and are becoming more demanding. Users want applications to store the data for them so they have one less thing to worry about.
While this seems great and has many perks, it is still necessary to consider security implications. Many applications store sensitive information in the cloud, but users typically don't know exactly which data is stored and what the app company knows about them. One great example is Facebook; we don't know exactly what information it already has about its users, but we can all agree it has a lot of information. On the other hand, a bank application for example allows users to send and receive money, which provides a lot of possibilities to make online purchases and keep track of incomes/expenses.
An attacker might be able to do considerable damage if he gains access to one of those applications. Some people might not care about cloud-based application security or that an attacker gains access to their Facebook profile because they claim to have nothing to hide. But what if they are faced with an attacker compromising their online bank account? This crosses a line, regardless of how the user feels about technology and security. This is why it's important to know about cloud-based application security and whether they have proper controls in place to detect and prevent the most common attacks.
Let's take a look at some common vulnerabilities in cloud-based applications, and provide a base point for penetration testers and other security professionals to properly protect their cloud-based applications.
Cloud-based application security and the Internet of Things
Every server-side application -- which includes the cloud-based applications -- must have a client-side counterpart that interacts with it in order to do something. The most understood, researched and analyzed cloud-based applications are Web applications, which are accessible from the Web browser normally used on personal computers. Recently, the focus has shifted to smaller devices like smartphones, smart glasses, smart watches and other devices that have connectivity to the Internet, thus laying the foundations for the Internet of Things (IoT).
An application running on a mobile phone can also communicate with a cloud application to do some work. Many cloud-based applications have a number of clients they are compatible with and they can connect to, like Facebook. This enables users to access the app from a Web browser on a PC, but it also has a custom mobile application that uses the same API. Therefore, since a cloud application is the same across mobile and Web clients, it contains the same vulnerabilities, regardless of which client is used to interact with it.
For a security professional, discovering and exploiting a security vulnerability in a cloud-based application should yield the same results regardless of which client -- mobile or browser -- is used for testing. Typically, a PC and a Web browser with intercepting proxy are used to look for security vulnerabilities in cloud applications, but if the application doesn't provide an HTTP(S) endpoint, it might be necessary to use a custom mobile application. If this happens, don't be alarmed by the lack of knowledge, but rather look at it from a fresh perspective. If the same cloud application were exposed through an HTTP(S) interface, there wouldn't be any trouble dissecting it and searching for security vulnerabilities. But the mobile version of the app uses the same back end, so it should contain the same vulnerabilities, just the tools and techniques slightly differ.
When it comes to mobile devices or any other smart devices, the security vulnerabilities in cloud-based applications have not changed; only the interface that interacts with them has slightly changed. This is why there is a limited amount of tools available for finding security vulnerabilities in cloud-based applications while using a mobile client application to interact with them.
It's worth emphasizing that every new client device brings its own client-side vulnerabilities, so don't disregard those, but cloud-based applications contain the same vulnerabilities, regardless of how users interact with them.
Cloud-based applications should be embraced -- when understood
Cloud-based applications have been around for a while, but users have most commonly interacted with them through Web browsers. In the last several years, with the arrival of smartphones, smart watches, smart glasses and other smart devices, the interface for those same cloud applications has changed somewhat. Nowadays, a Web browser is rarely used to connect to the cloud-based application; instead, a specifically written custom mobile application or some other client application is used.
While the client-side applications used to interact with cloud-based applications have changed, the cloud-based applications contain the same vulnerabilities as before. The only problem now is a limited number of libraries and programs to search for those vulnerabilities. Nevertheless, a hacker can control any client-based application, regardless of which device it's running on, to use it for his own means.
Penetration testers shouldn't be alarmed by the new technologies, but should embrace them with open arms and study them thoroughly in order to fully understand them. Only then will they be able to improve the libraries and tools used for testing, which will consequently be used for analysis and finding new vulnerabilities in cloud-based application security.
Learn the three best practices in cloud app security
Find out how to perform cloud-based application analysis
Check out the benefits of cloud-based automated malware analysis tools