Mobile
7/17/2015
11:00 AM
Subbu Sthanu
Subbu Sthanu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Mobile App Security: 4 Critical Issues

Securing the mobile workforce in the age of BYOD is no easy task. You can begin with these four measures.

In the wake of the explosion of mobile devices, organizations are increasingly embracing mobile apps as a way to improve productivity and meet employee requests to seamlessly work anywhere. There’s one critical question that many users and organizations continue to overlook: are mobile apps secure and protected from malicious hackers?

New data indicates that there is definitely room for improvement. A recent study of 640 businesses by the Ponemon Institute for IBM found that the average company tests less than half of the mobile apps they build, and 33% never test their apps for security before they go on the market. This disparity could potentially expose users to sophisticated cyberattacks, which could enable hackers to gain access to the vaults of corporate and personal data living on mobile devices.
 
A large number of companies have adopted bring-your-own device (BYOD) policies; 55 percent now allow employees to use and download business apps on their personal devices, according to Ponemon. To compound issues even further, 67% of companies allow employees to download non-vetted apps to work devices.
 
So how do we secure the mobile work force in the age of BYOD? Begin with these steps to address four key issues:
 
Issue 1: Building Secure Apps
Mobile malware exploits vulnerabilities or bugs in the coding of the mobile apps. Applying security best practices to mobile app development, including the use of source code scanning tools, can help make mobile apps resilient to such an attack. It is also important to analyze code from third parties, or any app that is allowed to coexist on phones used by employees. In this case, executables rather than source code should be scanned.
  
This concern arises out of a growing trend of hackers to create fake app versions. Hackers can obtain a public copy of a mobile app, reverse engineer it, place malicious code into the app, and redeploy it to the market. Unsuspecting victims then download and use the app, leaving their credentials and personal information exposed to the hackers, including sensitive corporate data such as financials, credit card accounts, patient records, intellectual property, and customer information.

Issue 2: Making Devices Risk-Aware
An app’s security is deeply impacted by the underlying device’s security. An unsecured device is one that has been modified by its owner or an unauthorized app to bypass operating system security, in turn allowing the installation of any app and from any source. Such devices, known as jailbroken or rooted devices, are very susceptible to mobile malware. While many organizations prevent such devices from accessing company networks, jailbreak technology is evolving to evade detection.
 
Worse, attackers using mobile malware don’t rely solely on a jailbroken device to facilitate fraudulent activities. Users who grant excessive use of permissions to the mobile applications —often by default — can also provide a pathway for malware to basic services like SMS.

To address these issues, it’s incumbent on organizations to adopt technology that will allow device risk to be incorporated into mobile application structure and detect mobile malware. For example, if an app were to execute a sensitive transaction – and the device is rooted or jailbroken -- the app may elect against executing the task.

Essentially, by making apps “device risk-aware,” organizations can restrict certain functionalities, remove sensitive data, and prevent access to enterprise resources. Enterprises should look into ways to dynamically gauge the security of the underlying device because the risk introduced by compromised devices is an often overlooked aspect of mobile security.

Issue 3: Preventing Data Theft and Leakage
When mobile apps access company data, documents are often stored on the device itself. If the device is lost, or if data is shared with non-business applications, the potential for data loss is heightened.
 
Businesses should develop a “selective remote wipe” capability to erase sensitive data from stolen, lost, or otherwise compromised mobile devices. Restricting the sharing of company data with non-business apps can help prevent data leakage.
  
Issue 4: Restricting High-Risk Access & Transactions
Mobile apps are built to interact with backend services. For example, mobile banking apps allow customers to transfer money to third parties, while mobile CRM apps enable salespeople to update their forecasts and access critical account data. By using context (such as where the access or transaction is coming from, at what time and the action requested) and risk factors (i.e. whether the device is compromised or if the time/location is suspicious), it is possible to prevent or restrict the access to company systems and delay transaction execution.

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hnrindani
50%
50%
hnrindani,
User Rank: Apprentice
10/31/2017 | 6:58:06 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
Appreciate the point raised by you. Device-level security ensures that anything you do through any of the applications is done securely. But an app developer cannot think about user having such software and so each app developed should consider important security measures while developing an app, especially if the app is a web application.
NauraL623
50%
50%
NauraL623,
User Rank: Apprentice
4/25/2017 | 10:24:23 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
This vpn app for android https://www.purevpn.com/vpn-app-for-android.php helps in protecting your financial records.
alinafoster
50%
50%
alinafoster,
User Rank: Apprentice
7/27/2015 | 1:31:44 AM
Mobile App Security: 4 Critical Issues
Nice to read crictical issues about mobile security.

Thanks for the info..
thescottking
100%
0%
thescottking,
User Rank: Apprentice
7/21/2015 | 10:42:24 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
Delaying the transactions would create user issues. People already have expectations on how the devices work in the consumer world and they expect the same at work.

Instead of delaying, combine a couple of these points with device level security. It is possible to place software on the device that detects threats and remediates based on policies set up in advance. The software will know if an application is spying on you or it elevates privileges after installing. It will also know if you are under a network attack like a man in the middle attack from someone on the network. If you concentrate on the device level security you can cover all of the issues stated above.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/20/2015 | 12:34:51 PM
Issue 4: Restricting High-Risk Access & Transactions
The delaying of transactions is a tricky notion. Theoretically understandable, but similar to False Rejection Rate principles, you may run into much pushback if the delay becomes an issue to authorized users.
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.