Is it safe to go mobile? New security threats keep your IT team up at night.

The classic 1978 film, Jaws 2, leveraged one of the famous movie taglines ever: “Just when you thought it was safe to go back in the water…” In the movie trailer, fictional Police Chief Brody famously states, “I think we may have another shark problem.”

How does a decades-old film relate to the concerns of today’s IT managers? Because, just when IT managers began to confidently address many of their Web-based and network-related vulnerabilities, along came a new and complex threat variant designed to feast on their valuable organizational data and keep them up at night: mobile malware. Now, let’s explore significant risks posed by mobile threats, and offer practical solutions to address the risks they pose.

Mobile Threat Landscape

Not so long ago, predictions stated that smartphones and tablets weren’t particularly susceptible to malware and hacking. That hasn’t proven to be the case. Instead, organizations’ growing use of mobile technology has been accompanied by an explosion of malware growth. Case in point: Published reports have indicated that malware aimed at mobile platforms grew 614 percent in the one-year period ending March 2013, nearly 450 percent faster than in the year before.

With the pronounced growth in mobile malware, mobile vulnerabilities currently represent 4 percent of total vulnerability disclosures, up from less than 1 percent in 2009, according to the IBM X-Force 2013 Mid-Year Trend and Risk Report.

In late 2013, IBM partner Arxan Technologies identified and reviewed hacked versions of top iOS and Android apps from third-party sites outside of official Apple and Google app stores. They also reviewed 15 highly-popular free apps for iOS and the same 15 free apps for Android. In addition, 40 popular financial apps were reviewed, with a breakdown of 20 per platform. Arxan’s sample size totaled 230 apps.

To give you a sense of the pervasive nature of mobile risk, Arxan’s research determined that amongst top 100 paid applications:

  • 56% of apps on Apple iOS had been hacked

Amongst popular free applications:

  • 73% on Android had been hacked
  • 53% on Apple iOS had been hacked

Safeguarding Your Organization Against Mobile Threats

How do you balance the increased productivity and flexibility offered by mobile technology against growing security risks associated with mobile’s widespread usage? And, how do you manage the myriad of new security threats that are emerging in the marketplace? In 2012, IBM predicted that mobile computing devices were driving security controls and technology that hadn’t previously existed for traditional endpoint devices. But, how does your organization stay at the forefront of the mobile technology curve?

In order to address the growing market need for improved mobile protection, IBM is announcing two exciting new security solutions:

  • IBM Security Access Manager 8.0 all in-one appliance – powered by X-Force, Trusteer, and QRadar – to protect web and mobile applications from threat and vulnerabilities.
  • IBM Security AppScan 9.0 to help you identify and fix vulnerabilities in mobile source code and make your organization’s applications less susceptible to malware attacks.

The new release permits you to integrate your AppScan and IBM Worklight activities, so you can conveniently expand your overall IBM relationship and enhance security protection. You can read more details about what we are announcing below.

Transaction Security: Release of IBM Security Access Manager 8.0

As organizations expand their business models to delivery via mobile, cloud and social platforms, a powerful access management solution is required to create and enforce session management and context-aware access policies across wide-ranging web and mobile applications. Solutions also need to protect your web and mobile applications from threats and vulnerabilities, through reliable threat protection mechanisms. And, gaining insight into user activity has become a critical requirement for you to effectively protect business assets and achieve your compliance goals.

On February 18th, IBM announced availability of the 8.0 version of Security Access Manager, the“all-in-one” appliance, which includes two modules – IBM Security Access Manager for Web 8.0 and IBM Security Access Manager for Mobile 8.0.

Provided to your organization as a virtual or hardware-based appliance, IBM Security Access Manager protects Web and mobile applications from threats and vulnerabilities through an advanced threat protection mechanism. As such, it enables you to conveniently create and enforce session management, application protection, and context-aware access policies across a wide range of Web and mobile applications. Expanded integration with IBM X-Force Threat Intelligence, IBM QRadar Security Intelligence Platform and Trusteer Mobile SDK help you to expand your end-to-end security capabilities.

Our new solution’s delivered to you in a modular package, so you can deploy it for an initial use-case (for example, traditional Web access management,) and then expand your implementation to other use-cases, such as mobile security.

For a summary of Security Access Manager 8.0’s capabilities, refer to the chart below:

For further details about IBM Security Access Manager 8.0, visit the following: About IBM Security Access Manager for Web.

Application Security Protection: IBM Security AppScan 9.0

IBM® Security AppScan® software enables organizations to assess the security of their applications and achieve regulatory compliance by identifying vulnerabilities and generating reports with intelligent fix recommendations to ease remediation.

At the RSA Conference, IBM announced availability of AppScan 9.0. AppScan 9.0’s enhanced security policy management capabilities permit organizations to identify their highest-risk application vulnerabilities, and prioritize those vulnerabilities for remediation. By remediating vulnerabilities early in the software development cycle, they’re much less expensive to remediate.

Enhanced mobile scanning capabilities in AppScan 9.0 help you to identify and fix vulnerabilities in mobile source code, making your organization’s applications less susceptible to malware attacks. In addition, IBM’s business partnership with Arxan Technologies offers you the ability to further “lockdown” applications against potential attacks.

Lastly, the new release permits you to integrate your AppScan and IBM Worklight activities, so you can conveniently expand your overall IBM relationship and enhance security protection.

For a summary of AppScan 9.0’s capabilities, refer to the chart below:

For further details about AppScan, visit the following: About IBM Security AppScan

To learn how IBM client West Virginia University protected its student data using IBM Security AppScan, consult: How West Virginia University Protects Sensitive Student Data

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…