Some days ago, I was browsing exploit-db.com as I used to do when working in IT Security projects. One of the first exploits I saw was related with an iPad application to transfer contents using WIFI (Air transfer from Darinshoft).
When I saw the description I couldn't believe it could be so easy and dangerous, so I downloaded and installed the App on my iPad. I try the exploit from my MacBook and ..... Bingo!!
I could crash the application and get contents although the web interface access was password protected.
(Exploit was communicated on August the 19th and Application is not yet patched)
All that made me think about the Mobile Apps to connect to SCADA systems and the IoT solutions big Automation Companies are designing.
Then I remember a nice article from Eric Byrnes that described the Software Quality problem the ICS have to face in a daily basis.
"Academic research tells us that most commercial software contains 3 - 10 defects for every thousand lines of code (KLOC), and that 1% to 5% of these result in vulnerabilities. That works out to between 0.03 and 0.5 vulnerabilities per KLOC."
Translating those concepts to the Apple Store (September 2014) we could find the following:
If we do the same with Google Play, results roughly could doubled this.
We need to go back to basics and define security requirements from the very beginning in every App development (Server, Desktop or Mobile), and be very cautious when thinking in applying these fancy iPads Apps in ICS. Even if your CEO is asking for the same solution he saw in his last meeting with other colleagues.
