Historically, when companies think about mobile security, the first thing that comes to mind is how to deal with lost or compromised mobile devices. The good news is that many organizations are well on their way to blocking device-based risks by deploying enterprise mobility management (EMM) solutions such as IBM MaaS360.
After addressing device-related risks, businesses generally turn their attention to applications on employees’ devices, to determine whether the apps pose a threat to user information or organizational data. To assure application security on corporate-owned or corporate-controlled devices, mobile application management (MAM) features have been added to EMM solutions. IBM MaaS360 is also a leader in the EMM marketplace
More advanced protection measures, such as controlling logins to corporate networks based on device or location, can be added when a higher level of security protection is required.
Protecting the Apps You Build
Unfortunately, there is a gaping hole in many, if not most, mobile security protection measures. The volume of mobile applications that companies are building for their customers, partners, employees — in fact, for the entire world to use — is generally not even under the direct control of security organizations.
Mobile applications are taking up a greater percentage of new development budgets within corporations. For example, in its IT survey, “State of Application Development Report,” OutSystems found that:
- Mobility was rated by 43 percent of responders as the most critical business functionality or process for applications.
- More than half of responders plan to add a mobile component to between 51 and 100 percent of their applications.
Moreover, mobile apps are rapidly becoming the most important interaction point with all users. We would think that existing application security programs would effectively address mobile applications as part of existing protection efforts, but there are several factors that have prevented mobile applications from being included in such initiatives:
- Organizations have been slow to recognize that threats posed by mobile applications since they have traditionally been viewed as “browsers in small packages.” However, as growing amounts of data and more advanced capabilities reside on devices, a multitude of new risks of potential compromise are also added.
- Many mobile applications are not built by corporate development organizations, which typically require multiple levels of testing and organizational compliance before applications are released. Instead, numerous marketing, e-commerce, customer care and related organizations autonomously build their own mobile apps, and even more of them outsource mobile development to external consultants, integrators or digital agencies. A recent study by 451 Research found 42 percent of mobile app development is being done outside of IT, and in two years two-thirds of mobile apps will be developed externally.
- In contrast to customary controls and processes that an IT organization can have over deployment of Web or desktop applications, mobile applications can be simply uploaded to an app store with little corporate oversight.
Four Pillars of Application Security Risk Management
So how should you go about securing the mobile applications that you build or have built for you? Ideally, your program should make use of four pillars of risk management:
- Test application code for security vulnerabilities.
- Test completed applications for security vulnerabilities and malware.
- Test the back-end for new vulnerabilities surfaced by mobile applications.
- Harden applications to keep them from potential tampering.
Testing Your Application Code
Testing application code should involve static analysis of actual data flow within the code to determine where it is vulnerable to attack. OWASP has issued a list of the top 10 mobile risks, which includes potential threats such as insecure data storage, client-side injection and broken cryptography.
Testing Your Completed Applications
When your development process has been completed, but prior to applications being uploaded to app stores or being distributed, apps should be tested utilizing IBM Application Security on Cloud. Application Security on Cloud takes an application’s Android APK or iOS IPA and interactively assesses code by conducting automated penetration testing. It analyzes results based on how applications or devices respond.
Because this type of dynamic analysis actually runs on the application, it can identify additional vulnerabilities that cannot be found with static analysis. However, there are risks that can only be found by analyzing the source code itself. So for the highest level of security protection, both techniques should be utilized.
For most organizations, the best approach is to kick off your application security program with a straightforward solution such as Application Security on Cloud and then progress to IBM Security AppScan Source as your mobile application security program matures and expands.
Testing Your Back-End Services
Securing applications from potential vulnerabilities is a good start, but by itself is insufficient. Mobile apps may surface new vulnerabilities to back-end services and the data that they access.
A good practice is to test the back-end using the mobile app. This can be performed with IBM Security AppScan Standard, which can be configured to conduct penetration testing of the back-end with applications on a device emulator or even on the device itself.
Hardening Your Apps
So, finally you have a secure app and your work is done — or so you think! Remember, mobile apps are very different than traditional applications that remain under control of your IT department.
Mobile apps by their nature live in the wild in app stores and on devices. Even though they may be secure when they are deployed, once in the wild they are subject to a wide variety of nefarious attacks. For example, hackers can download apps, utilize readily available tools to decompile them, insert malware and publish them back in app stores where they look very similar to authentic applications.
Such malware can do anything from tracking users’ locations, to intercepting transactions to and from financial institutions, to stealing users’ IDs, credentials and cryptographic keys, enabling hackers to impersonate authentic users to access personal or even corporate data.
How can you protect yourself from such threats? The answer is to harden your mobile applications, to protect them from being altered. IBM partners with one of the leading solution providers in this space, Arxan Technologies.
Arxan Application Protection for IBM Solutions leverages a variety of approaches to defend against and detect attacks, including the following:
- Advanced obfuscation;
- Metadata removal;
- Debug detection;
- Resource verification;
- Jailbreak/root detection; and
- Swizzling detection.
As such, the solution can address a wide range of potential application attacks. If an intrusion is detected, applications can self-protect by shutting down, self-repairing or alerting you by phoning home.
Putting It All Together
The four approaches we discussed (testing your application code, testing your completed apps, testing your back-end services and hardening your apps) are all vital protection measures for applications that are being built and deployed. Of course, you can always consider starting your risk management program with one of those options, gaining additional expertise, then improving security over time by implementing the other options as your experience grows.
But it’s only when you’ve built all four of the options into your secure development life cycle that you can experience the comfort of knowing you’ve done all you can do to effectively manage your mobile application security.