Enterprise Mobile Application Security

-

Newer and more powerful mobile devices are introduced into the market each day.  This combined with the ever-expanding reach the Internet is having on us has not only changed the way enterprises do business but has also altered our lifestyle. For Enterprise solutions, all this translates to a better user satisfaction, increased revenue and improved productivity. But of course, where there’s a pro, there’s definitely bound to be a con.  We don’t have to be Peter Parker to understand Uncle Ben’s word - “With great power comes with great responsibility”. Building a mobile application for an Enterprise brings great benefits to organization but requires even greater attention towards implementing stronger security measures to protect the users.


I’ve started paying more attention than ever before after the recent security attacks on tech giants like PayPal, eBay, Sony and consumer biggies like Target. Some of the things that are constantly running on my mind these days are, how am I going to be protect my enterprise users from
  • Accidental data leakage through apps 
  • Malicious theft of data from devices via targeted attacks
  • Protecting corporate networks from compromised devices

I’ve come to realize that, as we get smarter each day, so do the hackers. They have shifted their focus to the mobile applications as a medium owning to their increased vulnerability to attacks.  Off of the top of my head, some reasons why I think mobile applications are vulnerable?
  • Unlike web applications where the security is implemented at the server level, mobile apps are installed in the device that could be reverse-engineered and exploited
  • A lot of sensitive data resides on the device and can be extracted using the right tools
  • Reverse engineered apps on open-source platforms could be repackaged with malicious code and redistributed
  • There is minimal or no control over using enterprise apps on jail-broken/rooted devices
  • Lack of proper security testing before releasing the application to stores
  • Lack of a standard development methodology in addressing the application security
  • Using the application from public networks and unsecure Wi-Fi zones 

Enterprise ultimate goal would be to eliminate security threats all together by implementing right management strategies and creating
sound security policies that can take them a step closer.
  • Installation Protection – Restrict installation authorization only on non jail-broken or non-rooted device and subsequently disable running the app if the device is jail-broken or rooted after installation
  • Enable Application Expiration – Enable the application to run only for a specific period before it is set to time-out due to inactivity
  • Authentication – Build a proper authentication process like SSO, device authorization, biometric verification etc. to reduce the possibility of a vulnerability exploit
  • Device Data Encryption – Implementing stronger encryption algorithms like FIPS 140-2 and Suite B for sensitive and user-critical data
  • Data Connection Encryption – Use of strong encryption algorithms for data transferred OTA (over the air) with absolutely NO compromise on keys. An ideal solution would be develop an algorithm that keeps the encryption/decryption keys private
  • Application Connectivity protocols – A protocol should give access to only its specific functionality and not the entire device; Favor use of https over a http for a service request to server. An even better idea would be to use a VPN to connect to the server
  • Copy/Paste & Screen-shot Protection – Disable copy/paste option and/or screen-shot data capture within the application
  • Remote Wipe – Application should have a feature that would remotely wipe the data without MDM
  • Data Integrity Check – Build an algorithm that verifies the data integrity to avoid any worm data that is part of data model. 
  • Application Integrity Check – At the time of app login, calculate the checksum of app with checksum of app when it was first downloaded to check for integrity
  • Auto update – Verify the new versions of an app and facilitate for the automatic updating of application to keep in line with bug fixes and security enhancements
  • Log Enabling – Enable app logs to track user activity and capture crash logs and share it with mobile apps admin without intervention of user
  • Track application usage and analyze – Track application usage data and share it with mobile apps admin without intervention of user
  • Implement MDM & MAM tools that best addresses Enterprise needs. Air-Watch is one of the best MDM tool. WSO2 is the MDM tool and licensed free. Click here for detailed comparison of MDM tools 
  • Install sound antivirus protection tools on the mobile device

System integrator plays a major role when strategizing and building mobile solutions for Enterprise applications.
  • Establish mobile application development guidelines, standards and templates in addressing enterprise mobile application security requirement
  • Build frameworks that would address data security in device and OTA transfer. In addition to this, the framework must support the ability to verify data integrity between mobile applications and the enterprise server
  • Perform one round of security testing. Refer table for a list of security testing tools
  • Create a deployment process with a workflow to screen, certify, and approve apps
  • Build tools that assures application security in an agile development environment
  • Build Threat Detection Algorithms into the server capabilities 
  • Most importantly, understand and strategize the right security platform and recommend perfect MDM & MAM platforms that addresses enterprise security needs

Users are an important piece of the puzzle as well. Ensuring data security doesn’t end with just the solution providers doing their duty. As users, there are certain things that they need to do to ensure that all that hard work done by the solution provider doesn’t go waste:
  • If not a bio-metric authentication, user need to have a password protection on their mobile devices at the least
  • Keep their device OS up-to-date to patch and fix any security and/or bug/flaws in the OS
  • Should not keep Bluetooth “On” always. This is one of the most common entry points for hackers to get into the user’s device and manipulate data
  • Should not use unknown wireless networks, especially when the network is unprotected
  • Should not jail-break or root your device. If you jail-break or root the device, the device is compromised. Technically by doing this, you are just serving up your data on a silver plate to the hackers
  • Should not download application from any unauthorized third-party stores. Sometimes apps you download even from the recommended store may have a malware. In such cases, it is best left to you to make a call on the genuine-ness of the app
  • Immediately update the download application if new release is found
  • Install genuine Antivirus software

Each day holds us newer surprises and shocks when it comes to implementing IT security...whether it pertains to mobile devices or server applications. What do we do? I think the first step would be that, in addition to MDM and MAM, the success of building secured mobile application depends on the enterprise mobile application strategy and policy. A system integrator plays a major role by introducing a rigid app development environment with robust frameworks and tools that ensures application security. Like I said earlier, everyone involved with the app is a piece of the puzzle. Even if one piece doesn’t fit in, the puzzle is left hanging and incomplete. 

Additional Read: Refer my Slide share deck - Enterprise Mobile Application Security

Cheers,
Venkat Alagarsamy

Comments

Post a Comment

Popular Posts

IoT - The Next level of Terrorism

-
Image
When someone mentions the term IoT (Internet of Things), our faces light up like that of a kid who’s been given a new toy to play with. We’re asking questions like how IoT is revolutionizing the world and how it’s making our day to day lives better when the real question we should be asking is, are our existing IoT framework and compliance standards completely addressing our security needs from something more dangerous than anything we’ve seen before - Cyber Terrorism ? Simply put, hacking into the location data on a car is merely an invasion of privacy aka data theft, whereas hacking into the control system of a car would be a threat to life and is considered cyber terrorism. Let’s look into a few examples of how radicals are using such a promising technology to cause chaos and destruction. Here’s a few ‘what-ifs' with things that are automatically controlled over the internet: Scenario-1: What would happen if all the fans supporting the ventilation system
Read more

Internet of Things (IoT) – Next Revolution?

-
Image
If you were to ask me what the invention of the century was, without blinking an eye I’d tell you it was the Internet. It is the most significant and influential foundation for mankind in my opinion. The Internet has completely revolutionized the world and brought people closer to each other than ever before. The introduction of powerful mobile devices combined with the influence of the Internet has not only changed the way we do business, but also the way we conduct our everyday lives. Just imagine services the population at large use and what we currently offer our customers. Think if that would be possible if not for the Internet? Difficult to imagine, isn't it!   In my opinion, the Internet of Things (IoT) is going to be a major driving force in Enterprise IT since the advent of the Internet. Transformation is happening as I write this article and devices are shifting from isolated systems to ubiquitous IoT enabled systems. What is IoT? Think of I
Read more

Technology Innovation in Banking Industry

-
Image
The digital technology revolution has changed the way we pretty much do anything these days. Consumers are being provided with new avenues to interact in real time with the providers and banking industry is no exception to that. Every day, we’re seeing new market entrants around the globe and for a financial institution, either small or large it, is critical to invest in innovation labs and make use of emerging/disruptive technologies to stay ahead of the competition. To put things in perspective, in the financial sector alone, investments in technology have grown exponentially in the past decade – rising from $1.8 billion in 2010 to $19 billion in 2015 – with 73% of these investments focusing on the personal and small business segments. (Source:  Whitepaper ) You’re probably wondering why this exponential increase in investments? Why invest billions of dollars in Technology Innovation? This is a simple cause and effect, the effect being  “ Increased Profit Margins ” . But, h
Read more