Best Practices to Maximize Your Organization’s Mobile Application Security

In previous articles, I’ve discussed the importance of managing mobile application security threats in your organization and selecting optimal application security and risk management solutions to meet your specialized needs; but what factors should you consider when embarking on a mobile application security program for the very first time?

1. Understand Your Threat Environment

In its white paper titled “Securing Applications in the Wild with Application Hardening and Run-Time Protection,” IBM partner Arxan Technologies reported that 78 percent of the top 100 iOS and Android applications had been turned into hacked variants and at least 86 percent of mobile malware consisted of legitimate applications unpacked, infected with malicious payloads and then repackaged.

Think about those statistics in the context of your organization’s, customers’ and partners’ mobile users. How many of them access mobile app stores on a daily basis? What protections are in place to prevent users from downloading “look-alike” applications that could bear malicious payloads? How do you protect the privileged corporate data that’s stored on their devices from potential hackers?

2. Calculate the Cost of a “Do-Nothing” Approach

Many organizations defer mobile application security initiatives, believing that they don’t have a sufficient budget to support such programs. Look at the decision from a different perspective, however: What are the potential costs to your organization for not maximizing mobile application security?

In May, IBM and the Ponemon Institute released the ninth annual “2014 Cost of Data Breach Study: Global Analysis.” According to the research, the average total cost of a data breach for companies participating in the study increased in the last year by 15 percent to $3.5 million. The average cost companies paid for each lost or stolen record that contained sensitive and confidential information increased by more than 9 percent from $136 in 2013 to $145 in this year’s study.

Make sure that you’re able to clearly quantify the potential costs of a data breach should your organization decide not to take immediate action to improve its mobile security. Calculate the estimated number of sensitive data records that your organization manages and multiply the number of records by the $145 average cost; the end result will be the estimated cost of a data breach to your business. The final figure will likely be much higher than you might have imagined. Can you truly afford that kind of expense?

3. Gain Executive Buy-In from the Outset

With significant data breaches being reported on an almost a daily basis, organizational security has become a C-level concern, which is why it’s important to involve executive management in your plans from the very start.

When “pitching” your initial business case to management, make sure that you provide stakeholders with the financial metrics to which I referred above. You should also inform your management team of the potential impact that data breaches can have on your organization’s brand image, customer satisfaction levels and competitive positioning.

To prepare for your discussion, consult a website that summarizes recent data breaches — I would recommend that you review a sample of recent data breaches from the site on your own and analyze the impact of the breach on the organization’s media coverage, customer perception and even stock price.

Can you think of a company that was once considered a leader in its industry space but is now dogged by negative press attention? That could be your organization one day!

4. Realize that “Technology Alone Is Not Enough”

When implementing a security program, remember that technology is only as strong as the people using it. Even if you introduce the most effective mobile application scanning, application hardening or run-time protection technologies into your IT environment, user education will be a critical factor in determining whether your security program will succeed or fail.

Users must be encouraged to report lost or stolen devices quickly, without fear of reprisal; they must be taught to select applications carefully from popular app stores and only install applications that are approved for use by your organization; they should participate in routine security awareness training sessions, which reinforce the importance of security best practices.

In my experience, the most effective way to educate users is through a high-level security project sponsor who understands the importance of organizational security and is able to communicate potential security risks effectively across the organization. Select someone who’s comfortable with reporting results to executive management but who also has strong rapport with employees at all levels within the organization. The sponsor should also be an effective listener who is able to incorporate recommendations for security improvements from training sessions and integrate them into ongoing security initiatives. Always remember that the best ideas for security protection often come from those who work closest to the security threats.

5. Develop Skills and Increase Knowledge Through a Pilot Program

So you’re all set: You’ve received funding for a mobile application security program, and stakeholders are on board with the new initiative, but you’re anxious to show immediate results in order to maintain focus on — and funding for — your program. What’s the next step?

I recommend that you begin with a pilot program in a single geographic region or in one of your company’s divisions. This approach will enable you to get a clear assessment of security preparedness in the pilot region or division, both before and after project implementation. In addition, you’ll have quick successes that you can report back to executive management, lessons learned that can be applied to future geographic regions or divisions and internal advocates that can promote your initiative on your behalf via word of mouth.

Selecting the Right Application Security Technology

Now that you’ve learned how to successfully implement a mobile application security program, what technology choices are available in the market to execute that program? In order to address the growing market need for comprehensive mobile application security protection, IBM has partnered with Arxan Technologies to provide a new and critical component in our application security portfolio.

Arxan Application Protection for IBM Solutions enables run-time protection and self-defense and tamper-resistance inside mobile applications that run on all major mobile platforms, including Apple iOS, Android, Windows Phone, BlackBerry and Tizen.

Compared to centralized Web environments, mobile applications live “out in the wild” on a distributed, fragmented and unregulated mobile device ecosystem. Unprotected binary code in mobile applications can be accessed, examined, modified and exploited by attackers much more easily than you might think. Hackers have “cracked the code” on basic application protection inherent in popular app stores and can easily work around most mobile device management (MDM) and mobile application management (MAM) solutions to access and attack applications.

The constantly-evolving mobile environment makes applications vulnerable to reverse engineering and a number of other new threats that are addressed by Arxan’s proprietary, binary-level “guard” technology. Our new partnership and product release permits enterprises to leverage IBM’s extensive security solutions portfolio to not only build applications securely, but also to keep them secure by integrating application hardening and run-time protection into mobile application security.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…