Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

7/17/2015
11:00 AM
Subbu Sthanu
Subbu Sthanu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Mobile App Security: 4 Critical Issues

Securing the mobile workforce in the age of BYOD is no easy task. You can begin with these four measures.

In the wake of the explosion of mobile devices, organizations are increasingly embracing mobile apps as a way to improve productivity and meet employee requests to seamlessly work anywhere. There’s one critical question that many users and organizations continue to overlook: are mobile apps secure and protected from malicious hackers?

New data indicates that there is definitely room for improvement. A recent study of 640 businesses by the Ponemon Institute for IBM found that the average company tests less than half of the mobile apps they build, and 33% never test their apps for security before they go on the market. This disparity could potentially expose users to sophisticated cyberattacks, which could enable hackers to gain access to the vaults of corporate and personal data living on mobile devices.
 
A large number of companies have adopted bring-your-own device (BYOD) policies; 55 percent now allow employees to use and download business apps on their personal devices, according to Ponemon. To compound issues even further, 67% of companies allow employees to download non-vetted apps to work devices.
 
So how do we secure the mobile work force in the age of BYOD? Begin with these steps to address four key issues:
 
Issue 1: Building Secure Apps
Mobile malware exploits vulnerabilities or bugs in the coding of the mobile apps. Applying security best practices to mobile app development, including the use of source code scanning tools, can help make mobile apps resilient to such an attack. It is also important to analyze code from third parties, or any app that is allowed to coexist on phones used by employees. In this case, executables rather than source code should be scanned.
  
This concern arises out of a growing trend of hackers to create fake app versions. Hackers can obtain a public copy of a mobile app, reverse engineer it, place malicious code into the app, and redeploy it to the market. Unsuspecting victims then download and use the app, leaving their credentials and personal information exposed to the hackers, including sensitive corporate data such as financials, credit card accounts, patient records, intellectual property, and customer information.

Issue 2: Making Devices Risk-Aware
An app’s security is deeply impacted by the underlying device’s security. An unsecured device is one that has been modified by its owner or an unauthorized app to bypass operating system security, in turn allowing the installation of any app and from any source. Such devices, known as jailbroken or rooted devices, are very susceptible to mobile malware. While many organizations prevent such devices from accessing company networks, jailbreak technology is evolving to evade detection.
 
Worse, attackers using mobile malware don’t rely solely on a jailbroken device to facilitate fraudulent activities. Users who grant excessive use of permissions to the mobile applications —often by default — can also provide a pathway for malware to basic services like SMS.

To address these issues, it’s incumbent on organizations to adopt technology that will allow device risk to be incorporated into mobile application structure and detect mobile malware. For example, if an app were to execute a sensitive transaction – and the device is rooted or jailbroken -- the app may elect against executing the task.

Essentially, by making apps “device risk-aware,” organizations can restrict certain functionalities, remove sensitive data, and prevent access to enterprise resources. Enterprises should look into ways to dynamically gauge the security of the underlying device because the risk introduced by compromised devices is an often overlooked aspect of mobile security.

Issue 3: Preventing Data Theft and Leakage
When mobile apps access company data, documents are often stored on the device itself. If the device is lost, or if data is shared with non-business applications, the potential for data loss is heightened.
 
Businesses should develop a “selective remote wipe” capability to erase sensitive data from stolen, lost, or otherwise compromised mobile devices. Restricting the sharing of company data with non-business apps can help prevent data leakage.
  
Issue 4: Restricting High-Risk Access & Transactions
Mobile apps are built to interact with backend services. For example, mobile banking apps allow customers to transfer money to third parties, while mobile CRM apps enable salespeople to update their forecasts and access critical account data. By using context (such as where the access or transaction is coming from, at what time and the action requested) and risk factors (i.e. whether the device is compromised or if the time/location is suspicious), it is possible to prevent or restrict the access to company systems and delay transaction execution.

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hnrindani
50%
50%
hnrindani,
User Rank: Apprentice
10/31/2017 | 6:58:06 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
Appreciate the point raised by you. Device-level security ensures that anything you do through any of the applications is done securely. But an app developer cannot think about user having such software and so each app developed should consider important security measures while developing an app, especially if the app is a web application.
NauraL623
50%
50%
NauraL623,
User Rank: Apprentice
4/25/2017 | 10:24:23 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
This vpn app for android https://www.purevpn.com/vpn-app-for-android.php helps in protecting your financial records.
alinafoster
50%
50%
alinafoster,
User Rank: Apprentice
7/27/2015 | 1:31:44 AM
Mobile App Security: 4 Critical Issues
Nice to read crictical issues about mobile security.

Thanks for the info..
thescottking
100%
0%
thescottking,
User Rank: Apprentice
7/21/2015 | 10:42:24 AM
Re: Issue 4: Restricting High-Risk Access & Transactions
Delaying the transactions would create user issues. People already have expectations on how the devices work in the consumer world and they expect the same at work.

Instead of delaying, combine a couple of these points with device level security. It is possible to place software on the device that detects threats and remediates based on policies set up in advance. The software will know if an application is spying on you or it elevates privileges after installing. It will also know if you are under a network attack like a man in the middle attack from someone on the network. If you concentrate on the device level security you can cover all of the issues stated above.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/20/2015 | 12:34:51 PM
Issue 4: Restricting High-Risk Access & Transactions
The delaying of transactions is a tricky notion. Theoretically understandable, but similar to False Rejection Rate principles, you may run into much pushback if the delay becomes an issue to authorized users.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...