Meru Cabs: Mobile Security LessonsWhy Organizations Need to Ensure Secure App Development
In the wake of revelations that fleet taxi company Meru Cabs had been inadvertently exposing customer data to the Internet, security experts now advise mobile e-commerce companies to quickly ramp up their security scrutiny.
Earlier in May, Information Security Media Group reported that the cab company's mobile apps were generating and storing sensitive customer logs with personally identifiable information on a public Web server, which also held a host of other sensitive files and code, stored without any encryption or authentication controls (see: Meru Cabs: Customer Data Exposed).
Following ISMGs disclosure, Meru fixed the reported issues. But Meru did not respond to requests for further information about the incident and response. Meru CTO Nilesh Sangoi told ISMG in a prior email that Meru would be patching its apps ASAP, and that the issues identified were due to a "minor" server misconfiguration, and that he believes no critical customer data was compromised.
Earlier this year, the Business Standard reported vulnerabilities with the Ola cabs app, which have since been addressed. [Ola is an online Taxi aggregator].
One prominent security thought-leader and ex-CISO, who asked to remain anonymous, says a key lesson from these incidents is the need to now to have an independent security function, as well as adopting, reviewing and maintaining minimum baseline security standards across their infrastructure.
The Mobile App-Scape
The data exposure at Meru illustrates that even as mobile app adoption is accelerating in India, security is not keeping pace. An instance of the app boom is Myntra.com, India's largest online fashion retailer. Acquired by Flipkart last year, Myntra.com went app-only this month, shutting down its website. Myntra.com already generates more than 90 percent of its traffic and 70 percent of its orders from its mobile app, the Mint reports.
This move demonstrates the challenge: Too many Indian companies are rushing their mobile app rollouts, says Dhananjay Rokde, a former CISO and thought leader with experience in global e-commerce implementations. "Numerous small companies, where IT is not a core competency, are deploying third-party, ready-made application frameworks to build apps quickly; and blindly adopting and implementing them," he says.
Many of these companies are not brick and mortar entities, and do not have their own data centers, IT teams or InfoSec specialists, he adds.
Such haste could lead to security headaches, Rokde warns, as these ready-made e-commerce app frameworks do not offer robust security. Companies rolling out apps "are interested in getting the app to market ASAP, making it jazzy, and building in all kinds of integration," Rokde says. "Security is successively relegated to lower levels of priority until it is end of line."
Aditya Gupta, founder at Bengaluru-based AppSec firm Attify, agrees that lack of in-house security expertise, and break-neck release deadlines are the primary causes for concern.
If developers would follow basic security guidelines, such as the OWASP Mobile, or even scan their apps using free scanners, such as AppWatch, a lot of security issues could be avoided, he stresses.
Even when vulnerabilities are reported, smaller companies that have a substantial revenues flowing from mobile are reluctant to withdraw apps, Rokde says. Even 10 days of downtime can mean a huge business loss.
Version control is a big problem as well, with many people continuing to use vulnerable apps after flaws have been reported, he says.
Secure Development Guidelines
Essentially, the servers that apps are accessing should have security measures in place to prevent unauthorized users from accessing data - on an organization's, or a third party's severs, according to OWASP.
"When building mobile applications, do a thorough security analysis before releasing it to users," Gupta advises. Companies that lack in-house security expertise should hire third parties to conduct quarterly audits on their infrastructure for the management, Rokde adds.
"An external application security testing company can even audit your app developer - this is very basic due diligence if you develop off-premise," Rokde says.
Another important aspect: Because the vendor has hawked the app framework to multiple companies, when there is an incident, response and support can be sluggish, Rokde says. Given the proliferation of these generic app frameworks, the vulnerabilities have also been just as uniformly distributed.
"This means, if an entity, say Meru, provides cab services using its app, a flaw discovered in the app framework could be exploited by attackers to target others companies known to be using the same framework," Rokde says.
To protect sensitive customer information, companies need to verify they have data classification/segregation guidelines in place and sensitive customer data is protected against inappropriate access - by administrators, employees or third parties.
Reworking the security in ready-made app frameworks can be challenging and usually destroys the modularity. Given the number of integrations and functions these generic frameworks provide, securing each layer might be more trouble than its worth, Rokde says. He suggests that more companies should consider building their own apps from scratch wherever possible and follow due diligence processes.
Privacy, Legal liability
While the privacy implications in principle are immense, India does not have a privacy law for directly dealing with breaches. Data protection is covered indirectly by standards defined under Section 43A of the Information Technology Act, 2000 and associated rules.
As a 'body corporate' collecting and processing sensitive personal information of customers in India, Meru is subject to these standards, says Elonnai Hickok, Programme Manager - Internet Governance, for Bengaluru-based research think tank, Centre for Internet and Society.
According to section 43A of the Act, negligence leading to loss or exposure of sensitive information can attract a liability of up to rupees five crores.
"The legal liability could thus consist of exposure to unlimited damages by way of compensation," says Pavan Duggal, a Delhi-based cyber-law expert and Supreme Court advocate. The top management may attract criminal liability, which could be imprisonment and/or fines.
However no such precedent for a privacy-related case exists in India.
"Real world consequences of Meru's exposure could be acute for an impacted customer," Hickok says. The consequences range from contact information being misused, to being re-sold and used for identity fraud or social engineering.
Until such time as a privacy law is passed, focus on enforcing existing legal frameworks effectively and creating consumer awareness is paramount, Duggal says.