With concepts such as bring-your-own-device (BYOD) becoming almost indispensable in today’s business environments, employees have both official and personal data on their smartphones and other devices. Because many of these devices are not very secure, hackers are having a field day. Apart from this, the risks of inadvertent data loss have also greatly increased.
In a recent analysis of downloaded applications within organizations, IBM found that these apps had access to confidential business data.
Anyone using a smartphone is aware that downloaded applications require frequent OS updates. Frequent updates cause greater exposure and vulnerability for the phones, which means that they may get corrupted or lose precious, business-critical data. Additionally, because mobile apps can access security-critical servers, storage, and networking systems, these apps are prone to and vulnerable to external attacks in which hackers can intercept data and cause huge losses. In a recent case involving an Android application, a weakness was found that could put personal user information at risk, including not only phone numbers and location details but also account balances.
Because compromised applications may at times lead to irrevocable losses for organizations in terms of finances, brand loyalty, confidential customer information, and intellectual property, application-security testing teams need to be on their toes at all times. They need to think about how to implement a robust, automated, and scalable mobile-specific security management program that can eliminate the looming risks to enterprise data with ease and efficiency.
On a positive note, most organizations have data-loss prevention (DLP) policies in place for blocking devices as soon as they are reported lost. However, most organizations do not have a clue about the type of applications installed on their employees’ mobile phones, and this is a huge cause of concern. To ensure that only safe applications are installed on corporate-owned and corporate-controlled devices, organizations have moved toward implementing mobile application management solutions. Many organizations involved in the generation and management of critical data, such as data relating to finance and security, use advanced DLP measures to control logins and access to data on mobile devices.
What is needed to ensure that your organization has a robust risk management system in place for your applications?
To ensure that mobile applications are secure in all aspects, organizations must follow basic rules:
- Perform stringent tests (perhaps utilizing a cloud-testing lab) for all application types (web, native, and hybrid), for all browsers, for iOS and Android (especially if it is open source), and for all software that might access the application once it is installed.
- Perform continuous static and dynamic analyses; monitor applications to detect problems.
- Perform checks for threats to the application due to weak encryption, client-side injection, and data storage.
- Minimize and verify functionality and permissions, thus simplifying the code. In addition, conduct thorough data validation and perform end-to-end testing of the code to check for any shortfalls related to security.
- Test the back end for any weaknesses in the emulators running the mobile applications.
- Perform thorough testing (automated penetration, functional, performance, etc.) on the application for loopholes related to security and for any weaknesses related to viruses.
- Try to avoid the data storage and transmission. If this is necessary, encrypt data during the process.
- Detect integrity violations using a taint analysis.
- Hard-code the applications so that no one can modify them externally.
- Invest in an automated mobile-app security-testing tool that can perform security assessments, penetration testing, for apps being built using agile methodology.
App developers must also make their apps third-party-friendly and easy to download. This will dissuade mobile users from wanting to jailbreak or root their mobile devices, which makes the devices vulnerable and renders the features related to OS security ineffective. App developers must be motivated and trained to build apps that have strong, built-in security controls to thwart any unwarranted breaches.
If organizations perform the above tests, follow strict app development guidelines, and implement robust frameworks for security testing, they will have done all that is required to keep the mobile applications—and, more importantly, the user data—secure. These measures, coupled with use of DLP, will effectively lead to implementation of stronger security practices.