Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

7/17/2015
11:00 AM
Subbu Sthanu
Subbu Sthanu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Mobile App Security: 4 Critical Issues

Securing the mobile workforce in the age of BYOD is no easy task. You can begin with these four measures.

In the wake of the explosion of mobile devices, organizations are increasingly embracing mobile apps as a way to improve productivity and meet employee requests to seamlessly work anywhere. There’s one critical question that many users and organizations continue to overlook: are mobile apps secure and protected from malicious hackers?

New data indicates that there is definitely room for improvement. A recent study of 640 businesses by the Ponemon Institute for IBM found that the average company tests less than half of the mobile apps they build, and 33% never test their apps for security before they go on the market. This disparity could potentially expose users to sophisticated cyberattacks, which could enable hackers to gain access to the vaults of corporate and personal data living on mobile devices.
 
A large number of companies have adopted bring-your-own device (BYOD) policies; 55 percent now allow employees to use and download business apps on their personal devices, according to Ponemon. To compound issues even further, 67% of companies allow employees to download non-vetted apps to work devices.
 
So how do we secure the mobile work force in the age of BYOD? Begin with these steps to address four key issues:
 
Issue 1: Building Secure Apps
Mobile malware exploits vulnerabilities or bugs in the coding of the mobile apps. Applying security best practices to mobile app development, including the use of source code scanning tools, can help make mobile apps resilient to such an attack. It is also important to analyze code from third parties, or any app that is allowed to coexist on phones used by employees. In this case, executables rather than source code should be scanned.
  
This concern arises out of a growing trend of hackers to create fake app versions. Hackers can obtain a public copy of a mobile app, reverse engineer it, place malicious code into the app, and redeploy it to the market. Unsuspecting victims then download and use the app, leaving their credentials and personal information exposed to the hackers, including sensitive corporate data such as financials, credit card accounts, patient records, intellectual property, and customer information.

Issue 2: Making Devices Risk-Aware
An app’s security is deeply impacted by the underlying device’s security. An unsecured device is one that has been modified by its owner or an unauthorized app to bypass operating system security, in turn allowing the installation of any app and from any source. Such devices, known as jailbroken or rooted devices, are very susceptible to mobile malware. While many organizations prevent such devices from accessing company networks, jailbreak technology is evolving to evade detection.
 
Worse, attackers using mobile malware don’t rely solely on a jailbroken device to facilitate fraudulent activities. Users who grant excessive use of permissions to the mobile applications —often by default — can also provide a pathway for malware to basic services like SMS.

To address these issues, it’s incumbent on organizations to adopt technology that will allow device risk to be incorporated into mobile application structure and detect mobile malware. For example, if an app were to execute a sensitive transaction – and the device is rooted or jailbroken -- the app may elect against executing the task.

Essentially, by making apps “device risk-aware,” organizations can restrict certain functionalities, remove sensitive data, and prevent access to enterprise resources. Enterprises should look into ways to dynamically gauge the security of the underlying device because the risk introduced by compromised devices is an often overlooked aspect of mobile security.

Issue 3: Preventing Data Theft and Leakage
When mobile apps access company data, documents are often stored on the device itself. If the device is lost, or if data is shared with non-business applications, the potential for data loss is heightened.
 
Businesses should develop a “selective remote wipe” capability to erase sensitive data from stolen, lost, or otherwise compromised mobile devices. Restricting the sharing of company data with non-business apps can help prevent data leakage.
  
Issue 4: Restricting High-Risk Access & Transactions
Mobile apps are built to interact with backend services. For example, mobile banking apps allow customers to transfer money to third parties, while mobile CRM apps enable salespeople to update their forecasts and access critical account data. By using context (such as where the access or transaction is coming from, at what time and the action requested) and risk factors (i.e. whether the device is compromised or if the time/location is suspicious), it is possible to prevent or restrict the access to company systems and delay transaction execution.

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hnrindani
50%
50%
hnrindani,
User Rank: Apprentice
10/31/2017 | 6:58:06 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
Appreciate the point raised by you. Device-level security ensures that anything you do through any of the applications is done securely. But an app developer cannot think about user having such software and so each app developed should consider important security measures while developing an app, especially if the app is a web application.
NauraL623
50%
50%
NauraL623,
User Rank: Apprentice
4/25/2017 | 10:24:23 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
This vpn app for android https://www.purevpn.com/vpn-app-for-android.php helps in protecting your financial records.
alinafoster
50%
50%
alinafoster,
User Rank: Apprentice
7/27/2015 | 1:31:44 AM
Mobile App Security: 4 Critical Issues
Nice to read crictical issues about mobile security.

Thanks for the info..
thescottking
100%
0%
thescottking,
User Rank: Apprentice
7/21/2015 | 10:42:24 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
Delaying the transactions would create user issues. People already have expectations on how the devices work in the consumer world and they expect the same at work.

Instead of delaying, combine a couple of these points with device level security. It is possible to place software on the device that detects threats and remediates based on policies set up in advance. The software will know if an application is spying on you or it elevates privileges after installing. It will also know if you are under a network attack like a man in the middle attack from someone on the network. If you concentrate on the device level security you can cover all of the issues stated above.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/20/2015 | 12:34:51 PM
Issue 4: Restricting High-Risk Access & Transactions
The delaying of transactions is a tricky notion. Theoretically understandable, but similar to False Rejection Rate principles, you may run into much pushback if the delay becomes an issue to authorized users.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.