Heute 356

Gestern 780

Insgesamt 39396115

Donnerstag, 28.03.2024
eGovernment Forschung seit 2001 | eGovernment Research since 2001
Transaction-based mobile applications are the next logical step for local councils as they move even further into e-government. Local authorities which are considering enabling transactions via mobile phones need to learn the lessons of the commercial sector if they are to avoid becoming victim to hack attacks. They must adopt the practices used by banks and e-commerce websites to thwart m-commerce hack attacks.

Local authorities are migrating their services online as part of a national strategy to provide an ‘e-government’ touchpoint for constituents, with many providing mobile internet services through WAP portals. Transactional mobile applications are seen as the next step, providing another avenue for constituents to monitor and settle council payments. Local authorities looking to deploy these payment services need first to put in place the type of security procedures adopted by the commercial sector. M-commerce applications are vulnerable to hacking during distribution and can often be used to infiltrate and manipulate the application server, potentially gaining access to masses of confidential data about constituents. If breached, data such as user log-ins or passwords, bank account details and other personal information can be harvested.

Transactional mobile applications are typically written in J2ME, making them difficult to hack when hosted online or installed on the handset, but they are relatively simple to intercept when first distributed to the mobile phone via a WAP connection from the website server to the mobile device. The hacker can then intercept the mobile application during the download process, using a PC to gain access to the application source code, remove security features and reload the software.

Typically, the location of the application is sent to the phone on request through a WAP push message. This pulls down a JAD (Java Application Descriptor) file, which then provides the location of the application install files; the JAR file. The phone then retrieves this, at which point the hacker can intercept the source code, potentially re-engineering the application as a conduit to the server. The hacker can then use the application as a route to attack an otherwise secure server, gaining access to the data stored there.

“With the mobile an integral part of people’s lives, it makes sense for councils to bring in m-payments. But many websites that support mobile-based transactional web applications are vulnerable. The mobile is creating new routes through which to attack otherwise secure servers,” said Ken Munro, Co-Founder and Managing Director of SecureTest. “Security may be in place to detect malware and viruses, but there is often little security at the application level and hackers can use the mobile interface as a backdoor. Local authorities need to learn the lessons of the commercial sector before moving into this area.”

SecureTest makes the following recommendations to local authorities looking to implement transactional mobile applications for e-government services:

  • Don’t trust any applications you distribute to mobile users. Validate all input server side, and thoroughly test the application, mobile platform and server.
  • When new users sign-up make sure there are adequate security checks as this will help to provide an audit trail in the event of an attack.
  • Obfuscate the application code, making it more difficult for hackers to interpret.

Quelle: Security Park, 13.06.2005

Zum Seitenanfang