Is it safe to go mobile? New security threats keep your IT team up at night.

The classic 1978 film, Jaws 2, leveraged one of the famous movie taglines ever: “Just when you thought it was safe to go back in the water…” In the movie trailer, fictional Police Chief Brody famously states, “I think we may have another shark problem.”

How does a decades-old film relate to the concerns of today’s IT managers? Because, just when IT managers began to confidently address many of their Web-based and network-related vulnerabilities, along came a new and complex threat variant designed to feast on their valuable organizational data and keep them up at night: mobile malware. Now, let’s explore significant risks posed by mobile threats, and offer practical solutions to address the risks they pose.

Mobile Threat Landscape

Not so long ago, predictions stated that smartphones and tablets weren’t particularly susceptible to malware and hacking. That hasn’t proven to be the case. Instead, organizations’ growing use of mobile technology has been accompanied by an explosion of malware growth. Case in point: Published reports have indicated that malware aimed at mobile platforms grew 614 percent in the one-year period ending March 2013, nearly 450 percent faster than in the year before.

With the pronounced growth in mobile malware, mobile vulnerabilities currently represent 4 percent of total vulnerability disclosures, up from less than 1 percent in 2009, according to the IBM X-Force 2013 Mid-Year Trend and Risk Report.

In late 2013, IBM partner Arxan Technologies identified and reviewed hacked versions of top iOS and Android apps from third-party sites outside of official Apple and Google app stores. They also reviewed 15 highly-popular free apps for iOS and the same 15 free apps for Android. In addition, 40 popular financial apps were reviewed, with a breakdown of 20 per platform. Arxan’s sample size totaled 230 apps.

To give you a sense of the pervasive nature of mobile risk, Arxan’s research determined that amongst top 100 paid applications:

  • 56% of apps on Apple iOS had been hacked

Amongst popular free applications:

  • 73% on Android had been hacked
  • 53% on Apple iOS had been hacked

Safeguarding Your Organization Against Mobile Threats

How do you balance the increased productivity and flexibility offered by mobile technology against growing security risks associated with mobile’s widespread usage? And, how do you manage the myriad of new security threats that are emerging in the marketplace? In 2012, IBM predicted that mobile computing devices were driving security controls and technology that hadn’t previously existed for traditional endpoint devices. But, how does your organization stay at the forefront of the mobile technology curve?

In order to address the growing market need for improved mobile protection, IBM is announcing two exciting new security solutions:

  • IBM Security Access Manager 8.0 all in-one appliance – powered by X-Force, Trusteer, and QRadar – to protect web and mobile applications from threat and vulnerabilities.
  • IBM Security AppScan 9.0 to help you identify and fix vulnerabilities in mobile source code and make your organization’s applications less susceptible to malware attacks.

The new release permits you to integrate your AppScan and IBM Worklight activities, so you can conveniently expand your overall IBM relationship and enhance security protection. You can read more details about what we are announcing below.

Transaction Security: Release of IBM Security Access Manager 8.0

As organizations expand their business models to delivery via mobile, cloud and social platforms, a powerful access management solution is required to create and enforce session management and context-aware access policies across wide-ranging web and mobile applications. Solutions also need to protect your web and mobile applications from threats and vulnerabilities, through reliable threat protection mechanisms. And, gaining insight into user activity has become a critical requirement for you to effectively protect business assets and achieve your compliance goals.

On February 18th, IBM announced availability of the 8.0 version of Security Access Manager, the“all-in-one” appliance, which includes two modules – IBM Security Access Manager for Web 8.0 and IBM Security Access Manager for Mobile 8.0.

Provided to your organization as a virtual or hardware-based appliance, IBM Security Access Manager protects Web and mobile applications from threats and vulnerabilities through an advanced threat protection mechanism. As such, it enables you to conveniently create and enforce session management, application protection, and context-aware access policies across a wide range of Web and mobile applications. Expanded integration with IBM X-Force Threat Intelligence, IBM QRadar Security Intelligence Platform and Trusteer Mobile SDK help you to expand your end-to-end security capabilities.

Our new solution’s delivered to you in a modular package, so you can deploy it for an initial use-case (for example, traditional Web access management,) and then expand your implementation to other use-cases, such as mobile security.

For a summary of Security Access Manager 8.0’s capabilities, refer to the chart below:

For further details about IBM Security Access Manager 8.0, visit the following: About IBM Security Access Manager for Web.

Application Security Protection: IBM Security AppScan 9.0

IBM® Security AppScan® software enables organizations to assess the security of their applications and achieve regulatory compliance by identifying vulnerabilities and generating reports with intelligent fix recommendations to ease remediation.

At the RSA Conference, IBM announced availability of AppScan 9.0. AppScan 9.0’s enhanced security policy management capabilities permit organizations to identify their highest-risk application vulnerabilities, and prioritize those vulnerabilities for remediation. By remediating vulnerabilities early in the software development cycle, they’re much less expensive to remediate.

Enhanced mobile scanning capabilities in AppScan 9.0 help you to identify and fix vulnerabilities in mobile source code, making your organization’s applications less susceptible to malware attacks. In addition, IBM’s business partnership with Arxan Technologies offers you the ability to further “lockdown” applications against potential attacks.

Lastly, the new release permits you to integrate your AppScan and IBM Worklight activities, so you can conveniently expand your overall IBM relationship and enhance security protection.

For a summary of AppScan 9.0’s capabilities, refer to the chart below:

For further details about AppScan, visit the following: About IBM Security AppScan

To learn how IBM client West Virginia University protected its student data using IBM Security AppScan, consult: How West Virginia University Protects Sensitive Student Data

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today