Risk
12/11/2013
08:13 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

5 Steps To Managing Mobile Vulnerabilities

With employees bringing their smartphones and tablets into the workplace, companies need to work to limit the threat posed by mobile applications

On the second Tuesday of every month, information technology and security groups rush to fix vulnerabilities in their desktop systems, reacting to the regularly scheduled Patch Tuesday implemented by Microsoft and Adobe.

Yet, in most cases, the plethora of smartphones and tablets carried by employees and the hundreds of applications on those devices are not managed, and fixing vulnerabilities on those systems is left up to the user. While the software ecosystem surrounding mobile devices typically means that mobile applications are regularly updated, the risk of those software programs is typically an unknown for most companies.

Businesses need to start paying attention to the mobile software coming in the front door to make sure their data is not headed out that same portal, says Chris Wysopal, chief technology officer for application-security firm Veracode.

"Mobile application management is becoming as important as mobile device management," he says. "The app layer is where all the risky behavior is happening."

While mobile applications are relatively new vectors of attacks, security researchers and applications developers have shown that vulnerabilities do exist. The Master Key and SIM card vulnerabilities demonstrated at the Black Hat security conference show that platform issues can lead to vulnerabilities that can be exploited. Yet more common are rogue applications that are legitimate but use aggressive advertising frameworks or tactics to collecting a disproportionate amount of information on the user.

[At Black Hat USA, a team of mobile-security researchers show off ways to circumvent the security of encrypted containers meant to protect data on mobile devices. See Researchers To Highlight Weaknesses In Secure Mobile Data Stores.]

Currently, Veracode and other companies are seeing interest in managing mobile vulnerabilities and risk from the largest enterprises -- those with the most at risk. Yet with the proliferation of mobile devices, more companies will have to worry about vulnerable and risky apps, Bala Venkat, chief marketing officer at application-security firm Cenzic, said in an e-mail interview.

"The explosion of mobile devices, growing number of new applications on devices, and the access of data anywhere from any device or platform poses a very challenging security environment for organizations."

For companies that want to tame the risk from their mobile applications, Venkat and other security experts recommend the following five steps.

1. Focus on the apps, not the device.
While many companies have mobile-device management (MDM) systems to help them deal with their fleet of devices, the bring-your-own-device (BYOD) movement has left a gap in their coverage. The devices are no longer owned by the businesses, so managing them can be a policy problem. In addition, the threat is less about the device and more about the applications, says Domingo Guerra, founder and president of Appthority.

With businesses having thousands of employees and hundreds of applications on the devices, managing the applications should be the focus for most companies, he says.

"There are a lot of different points of possible data breaches," Guerra says.

2. Catch vulnerabilities at development.
While the vulnerabilities in mobile applications are not handled in the same way as with desktop systems, one area of commonality exists. Companies that develop their own in-house applications need to adopt a secure development life cycle to catch and root out vulnerabilities.

"It is important for companies to ensure its application developers and administrators have a thorough knowledge of the common application attacks, the tools available for detecting vulnerabilities, and the procedures for fixing them," says Cenzic's Venkat.

Vetting third-party code used in the development process is also important. The advertising frameworks used by many mobile developers typically take actions of which the developer may not be aware. Other frameworks should be checked out, as well, says Appthority's Guerra.

"Because it is not all internal code, companies have to be wary," he says.

3. Measure app reputation.
Another way to assess the risk of third-party applications is to use one of the application reputation services. These services, such as Appthority and Veracode's Mobile Application Reputation Service (MARS), check out mobile application based on runtime and static analysis and create a risk profile for each.

"It is the applications that are purported to be legitimate, but are being monetized through information harvesting that are the bigger risks," says Veracode's Wysopal.

In many cases, companies can apply their own policies to the assessment results and generate white and black lists of mobile applications allowed to access business data or that can be on devices managed by MDM solutions.

4. Encrypt data on the device and in transit.
A key consideration for many companies is whether information on the mobile devices used by employees for work encrypt data. Mobile containerization technology can wrap applications in code that enforces encryption and allows the company to manage the keys, letting the business enforce encryption.

Companies should also worry about unencrypted communications to cloud services, says Cenzic's Venkat.

"Storing unencrypted sensitive data on often-lost mobile devices is a significant cause for concern, but the often unsecured Web services commonly associated with mobile applications can pose an even bigger risk," he says.

5. Make security easy to use.
Finally, employees will get around security measures unless they are easy to use. To retain productivity gains, businesses should support the way that employees work, says Veracode's Wysopal.

"People want to be able to grab a file off of Dropbox," he says. "If people cannot interact between a corporate environment and the personal environment, then users will complain and reject the monolithic corporate apps and security," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web