Security in the Cloud - Offline Applications

There have been some very public disappearances of cloud based applications (such as those run by Google and the recent Denial of Service attack on certain services hosted by Amazon's Elastic Computer Cloud (EC2)) that have demonstrated the very real dangers of allowing a third party to run your business critical applications. Some of the newer technologies’ appearing to counter this allows browser based on-line web applications to be cached and used off-line. This ability to access web applications without an Internet connection is essential for the development and reliability of cloud computing. There are three major players in this market, Google Gears, Adobe Air and Microsoft Silverlight. All of these allow users to reliably use cloud applications off line, with limited loss in productivity.

What are the security considerations for off-line web apps?

Firstly, there is the issue of getting the off-line application installed to the client machine safely. If an attacker can position himself in to the network suitably, for example by using a wireless hotspot, it is possible to modify or replace the off-line application code before it is installed to the user’s machine. This would leave the end user running malicious code, causing a total compromise of any sensitive information passed to the browner. This problem has been countered by Adobe Air by only allowing securely signed applications to install. However, SSL Certificates are currently under close scrutiny from the hacking community and already two major vulnerabilities have been identified that subvert browser security. Potentially, these types of attacks could be used to allow malicious or modified code to be installed.

Secondly, there is the problem of synchronising the client back to the backend after off-line changes have been made. Even the best client side input validation can be subverted and with Google Gears having few controls limiting cross-application access to the client database, it is relatively easily for a user to poison a local database. This makes the synchronisation of the client to the backend servers critical when the client re-connects to the service. The client database must be treated as being compromised, and no trust can be placed on the integrity of the data being synchronised. The backend server (as normal) must validate and reject any entries that may be harmful and poison the backend systems by generating injection attacks (e.g. SQL injection or Cross Site Scripting).

Thirdly, a new concept for web application developers is that the application’s code is now stored in the client machine. This makes it highly vulnerable to local reverse engineering attacks. Any passwords or encryption keys that are hardcoded in to the application will be trivial for an attacker to discover. This has particularly large consequences, especially when it comes to session management, authorisation and authentication.

Another area for developers to consider is updating and patching their applications. When a bug or security vulnerability is discovered, code changes on the server have to be replicated throughout the off-line user base. How are the users going to update their off-line clients? This could be difficult considering that users are notoriously bad at patching their systems.

In summary, there are no major changes with the new generation of web applications; the most critical defence is still server side validation. In the short term, the attack vectors on the client based applications are limited, however, as the technology matures, it is likely that we will see many more cross-application attacks leading to compromise of sensitive data stored within the user’s off-line database. Off-line Web Application developers have to start coding with more thought to local attacks on their code, rather than relying on a server to protect them.

If you have any queries or concerns about the security of your current web site, web applications or about secure application development, please contact us at e-Sentinel.

e-Sentinel is one of Australia’s most trusted, independent providers of information assurance and computer system validation solutions working with clients in passenger air transport, medical, pharmaceutical, manufacturing, critical infrastructure, finance, banking and gaming.

Bill Robson is e-Sentinel’s lead Penetration Tester and over the past decade has assessed the security of some of the largest corporations in the UK and Australia. His passion for information security keeps him on the leading edge of security research and trends in the connected world.