Mobile

7/17/2015
11:00 AM
Subbu Sthanu
Subbu Sthanu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Mobile App Security: 4 Critical Issues

Securing the mobile workforce in the age of BYOD is no easy task. You can begin with these four measures.

In the wake of the explosion of mobile devices, organizations are increasingly embracing mobile apps as a way to improve productivity and meet employee requests to seamlessly work anywhere. There’s one critical question that many users and organizations continue to overlook: are mobile apps secure and protected from malicious hackers?

New data indicates that there is definitely room for improvement. A recent study of 640 businesses by the Ponemon Institute for IBM found that the average company tests less than half of the mobile apps they build, and 33% never test their apps for security before they go on the market. This disparity could potentially expose users to sophisticated cyberattacks, which could enable hackers to gain access to the vaults of corporate and personal data living on mobile devices.
 
A large number of companies have adopted bring-your-own device (BYOD) policies; 55 percent now allow employees to use and download business apps on their personal devices, according to Ponemon. To compound issues even further, 67% of companies allow employees to download non-vetted apps to work devices.
 
So how do we secure the mobile work force in the age of BYOD? Begin with these steps to address four key issues:
 
Issue 1: Building Secure Apps
Mobile malware exploits vulnerabilities or bugs in the coding of the mobile apps. Applying security best practices to mobile app development, including the use of source code scanning tools, can help make mobile apps resilient to such an attack. It is also important to analyze code from third parties, or any app that is allowed to coexist on phones used by employees. In this case, executables rather than source code should be scanned.
  
This concern arises out of a growing trend of hackers to create fake app versions. Hackers can obtain a public copy of a mobile app, reverse engineer it, place malicious code into the app, and redeploy it to the market. Unsuspecting victims then download and use the app, leaving their credentials and personal information exposed to the hackers, including sensitive corporate data such as financials, credit card accounts, patient records, intellectual property, and customer information.

Issue 2: Making Devices Risk-Aware
An app’s security is deeply impacted by the underlying device’s security. An unsecured device is one that has been modified by its owner or an unauthorized app to bypass operating system security, in turn allowing the installation of any app and from any source. Such devices, known as jailbroken or rooted devices, are very susceptible to mobile malware. While many organizations prevent such devices from accessing company networks, jailbreak technology is evolving to evade detection.
 
Worse, attackers using mobile malware don’t rely solely on a jailbroken device to facilitate fraudulent activities. Users who grant excessive use of permissions to the mobile applications —often by default — can also provide a pathway for malware to basic services like SMS.

To address these issues, it’s incumbent on organizations to adopt technology that will allow device risk to be incorporated into mobile application structure and detect mobile malware. For example, if an app were to execute a sensitive transaction – and the device is rooted or jailbroken -- the app may elect against executing the task.

Essentially, by making apps “device risk-aware,” organizations can restrict certain functionalities, remove sensitive data, and prevent access to enterprise resources. Enterprises should look into ways to dynamically gauge the security of the underlying device because the risk introduced by compromised devices is an often overlooked aspect of mobile security.

Issue 3: Preventing Data Theft and Leakage
When mobile apps access company data, documents are often stored on the device itself. If the device is lost, or if data is shared with non-business applications, the potential for data loss is heightened.
 
Businesses should develop a “selective remote wipe” capability to erase sensitive data from stolen, lost, or otherwise compromised mobile devices. Restricting the sharing of company data with non-business apps can help prevent data leakage.
  
Issue 4: Restricting High-Risk Access & Transactions
Mobile apps are built to interact with backend services. For example, mobile banking apps allow customers to transfer money to third parties, while mobile CRM apps enable salespeople to update their forecasts and access critical account data. By using context (such as where the access or transaction is coming from, at what time and the action requested) and risk factors (i.e. whether the device is compromised or if the time/location is suspicious), it is possible to prevent or restrict the access to company systems and delay transaction execution.

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hnrindani
50%
50%
hnrindani,
User Rank: Apprentice
10/31/2017 | 6:58:06 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
Appreciate the point raised by you. Device-level security ensures that anything you do through any of the applications is done securely. But an app developer cannot think about user having such software and so each app developed should consider important security measures while developing an app, especially if the app is a web application.
NauraL623
50%
50%
NauraL623,
User Rank: Apprentice
4/25/2017 | 10:24:23 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
This vpn app for android https://www.purevpn.com/vpn-app-for-android.php helps in protecting your financial records.
alinafoster
50%
50%
alinafoster,
User Rank: Apprentice
7/27/2015 | 1:31:44 AM
Mobile App Security: 4 Critical Issues
Nice to read crictical issues about mobile security.

Thanks for the info..
thescottking
100%
0%
thescottking,
User Rank: Apprentice
7/21/2015 | 10:42:24 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
Delaying the transactions would create user issues. People already have expectations on how the devices work in the consumer world and they expect the same at work.

Instead of delaying, combine a couple of these points with device level security. It is possible to place software on the device that detects threats and remediates based on policies set up in advance. The software will know if an application is spying on you or it elevates privileges after installing. It will also know if you are under a network attack like a man in the middle attack from someone on the network. If you concentrate on the device level security you can cover all of the issues stated above.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/20/2015 | 12:34:51 PM
Issue 4: Restricting High-Risk Access & Transactions
The delaying of transactions is a tricky notion. Theoretically understandable, but similar to False Rejection Rate principles, you may run into much pushback if the delay becomes an issue to authorized users.
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15660
PUBLISHED: 2018-08-21
** DISPUTED ** An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions, then the attacker can read certain Ola Money data such as a credit card number, expiration date, bank account numbe...
CVE-2018-15661
PUBLISHED: 2018-08-21
** DISPUTED ** An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions and the ability to read SMS messages, then the Forgot Password screen can be used to bypass authentication. NOTE: th...
CVE-2018-15481
PUBLISHED: 2018-08-21
Improper input sanitization within the restricted administration shell on UCOPIA Wireless Appliance devices using firmware version 5.1.x before 5.1.13 allows authenticated remote attackers to escape the shell and escalate their privileges by adding a LocalCommand to the SSH configuration file in the...
CVE-2018-15528
PUBLISHED: 2018-08-21
Reflected Cross-Site Scripting exists in the Java System Solutions SSO plugin 4.0.13.1 for BMC MyIT. A remote attacker can abuse this issue to inject client-side scripts into the "select_sso()" function. The payload is triggered when the victim opens a prepared /ux/jss-sso/arslogin?[XSS] l...
CVE-2018-15533
PUBLISHED: 2018-08-21
A reflected cross-site scripting vulnerability exists in Geutebrueck re_porter 16 before 7.8.974.20 by appending a query string to /modifychannel/exec or /images/*.png on TCP port 12005.