Mobile App Security: 4 Critical IssuesMobile App Security: 4 Critical Issues

Securing the mobile workforce in the age of BYOD is no easy task. You can begin with these four measures.

Subbu Sthanu, Director, Mobile Security & Application Security, IBM

July 17, 2015

4 Min Read
Dark Reading logo in a gray background | Dark Reading

In the wake of the explosion of mobile devices, organizations are increasingly embracing mobile apps as a way to improve productivity and meet employee requests to seamlessly work anywhere. There’s one critical question that many users and organizations continue to overlook: are mobile apps secure and protected from malicious hackers?

New data indicates that there is definitely room for improvement. A recent study of 640 businesses by the Ponemon Institute for IBM found that the average company tests less than half of the mobile apps they build, and 33% never test their apps for security before they go on the market. This disparity could potentially expose users to sophisticated cyberattacks, which could enable hackers to gain access to the vaults of corporate and personal data living on mobile devices.
 
A large number of companies have adopted bring-your-own device (BYOD) policies; 55 percent now allow employees to use and download business apps on their personal devices, according to Ponemon. To compound issues even further, 67% of companies allow employees to download non-vetted apps to work devices.
 
So how do we secure the mobile work force in the age of BYOD? Begin with these steps to address four key issues:
 
Issue 1: Building Secure Apps
Mobile malware exploits vulnerabilities or bugs in the coding of the mobile apps. Applying security best practices to mobile app development, including the use of source code scanning tools, can help make mobile apps resilient to such an attack. It is also important to analyze code from third parties, or any app that is allowed to coexist on phones used by employees. In this case, executables rather than source code should be scanned.
  
This concern arises out of a growing trend of hackers to create fake app versions. Hackers can obtain a public copy of a mobile app, reverse engineer it, place malicious code into the app, and redeploy it to the market. Unsuspecting victims then download and use the app, leaving their credentials and personal information exposed to the hackers, including sensitive corporate data such as financials, credit card accounts, patient records, intellectual property, and customer information.

Issue 2: Making Devices Risk-Aware
An app’s security is deeply impacted by the underlying device’s security. An unsecured device is one that has been modified by its owner or an unauthorized app to bypass operating system security, in turn allowing the installation of any app and from any source. Such devices, known as jailbroken or rooted devices, are very susceptible to mobile malware. While many organizations prevent such devices from accessing company networks, jailbreak technology is evolving to evade detection.
 
Worse, attackers using mobile malware don’t rely solely on a jailbroken device to facilitate fraudulent activities. Users who grant excessive use of permissions to the mobile applications —often by default — can also provide a pathway for malware to basic services like SMS.

To address these issues, it’s incumbent on organizations to adopt technology that will allow device risk to be incorporated into mobile application structure and detect mobile malware. For example, if an app were to execute a sensitive transaction – and the device is rooted or jailbroken -- the app may elect against executing the task.

Essentially, by making apps “device risk-aware,” organizations can restrict certain functionalities, remove sensitive data, and prevent access to enterprise resources. Enterprises should look into ways to dynamically gauge the security of the underlying device because the risk introduced by compromised devices is an often overlooked aspect of mobile security.

Issue 3: Preventing Data Theft and Leakage
When mobile apps access company data, documents are often stored on the device itself. If the device is lost, or if data is shared with non-business applications, the potential for data loss is heightened.
 
Businesses should develop a “selective remote wipe” capability to erase sensitive data from stolen, lost, or otherwise compromised mobile devices. Restricting the sharing of company data with non-business apps can help prevent data leakage.
  
Issue 4: Restricting High-Risk Access & Transactions
Mobile apps are built to interact with backend services. For example, mobile banking apps allow customers to transfer money to third parties, while mobile CRM apps enable salespeople to update their forecasts and access critical account data. By using context (such as where the access or transaction is coming from, at what time and the action requested) and risk factors (i.e. whether the device is compromised or if the time/location is suspicious), it is possible to prevent or restrict the access to company systems and delay transaction execution.

About the Author

Subbu Sthanu

Director, Mobile Security & Application Security, IBM

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and business operations functions for Data, Network, Web, Email, People and Cloud & Managed Security solutions.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights