In 2015, Check Point Software released a report that stated that mobile devices were the weakest link in the security chain. According to its “2015 Security Report,” 72 percent of IT providers agreed that their top mobile security challenge was securing corporate information. Research also revealed that 96 percent of organizations utilized at least one high-risk application, so mobile application security represented one of their key organizational priorities.

The message is clear: Corporate data is at risk, and being made aware of these risks is critical to taking proper precautions to secure mobile devices. In a recent interview, Tyler Shields, formerly of Forrester Research, spoke extensively to IBM about how organizations can prevent and manage mobile application security threats.

A Holistic Approach to Mobile Application Security

According to Shields, safeguarding applications and data should ideally be performed at the development stage of the software development life cycle (SDLC). If all security problems could be identified at this initial stage, with coding proceeding forward securely, there would be no downstream concerns about application security. That would be the ideal situation, but in reality, it’s almost impossible to attain.

Realistically, enterprises should seek to mitigate application risk by securing their app models and embedding apps using third-party tools. This could go a long way in helping them to secure mobile applications from malicious attacks.

Organizations with advanced application security testing programs are now looking at holistic approaches to securing apps that go beyond simply putting SDLC frameworks into place.

Learn How to Make Application Security a Strategically Managed Discipline

Be Preemptive and Be Prepared

Shields reminded us that individual applications are basically blocks of code that need to be secured and 100 percent foolproof. To understand application security more effectively, you need to master the framework of Web and mobile applications.

An app is comprised of three basic layers:

  • Front-end presentation layer;
  • Application code layer; and
  • Database back-end.

The security models are very similar in each of these, and an attack can happen at any layer. Your challenge is to preempt attacks by making each of the layers more secure.

To learn more about protecting your organization’s application layer, watch the brief YouTube video below:

Three Ms: Monitor, Manage and Mitigate Risk

Repackaged applications are the most targeted apps on mobile these days. For example, a commercial bank can build its own app and make it available on Android and iOS. With the right tools at their disposal, attackers can potentially re-engineer these apps by injecting malware, placing the apps back into the application stores and ultimately storing and controlling devices that download the apps. To prevent these types of attacks, you need to improve security of the apps being built and put into the wild.

The following video, developed by IBM and Forrester Research, shows how you can improve your security protection:

Achieving Safe and Effective Mobile Application Security

According to Shields, the best way to secure mobile apps in your environment is to create and run your own internal application store. This is definitely not the easiest project to dive into since it requires considerable time and organizational resources. However, the long-term benefits can be tremendous, and eventually you’ll gain perspective on all the apps that enter your environment. Incorporating leading application security testing tools that can analyze apps for unexpected behavior and potential malicious activities will also provide you with a more comprehensive view of security.

While it’s impossible to completely prevent attacks, hacking mobile applications can be made much more difficult if you fine-tune app handling, embed apps with monitoring and tracking systems and increase the overall level of security in your mobile environment. Only by identifying risks can you strengthen your defenses against current and future threats and fully leverage mobility’s core benefit of empowering a smarter, safer mobile workforce.

Incorporating leading application security testing tools that can analyze apps for unexpected behavior and potential malicious activities will also provide you with a more comprehensive sense of security. To hear Shields’ perspective on the strategic benefits of utilizing internal app stores, watch the following video:

To Learn More

To learn more about how you can manage application security risk management at your organization, check out the IBM-sponsored Ponemon Institute study “How to Make Application Security a Strategically Managed Discipline.” You can also read the accompanying blog “Present These 10 Key Application Security Risk Management Findings to Your Executive Team.”

Learn How to Make Application Security a Strategically Managed Discipline

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…