March 5, 2015 By Kevin Olivieri 4 min read

As app use rapidly matures and moves into the enterprise to share all data across all devices, attacks on mobile have grown just as exponentially in volume and scale. The top apps on the Apple App Store and Google Play have seen significant cyberattacks, with 87 percent of iOS’s and 97 percent of Android’s top 100 paid apps victimized by hacks.

Without proper app security precautions in place to protect corporate data on mobile devices from outside threats, organizations are putting themselves in harm’s way. This dangerous territory is wrought with potential for costly data breaches.

Although the task may seem insurmountable at first glance, there are simple ways for organizations to protect their data from rising app threats and help develop more efficient employee app use.

In this Q&A, two top app security experts — IBM Senior Director of Product Management Anar Taori and Product Manager Kaushik Srinivas  — give the lowdown on the state of apps today, how organizations can provide enterprise-level app security and what they can do to deploy apps to develop a more productive group of end users.

When working with clients, what are the most prominent apps you see making the mobile-first transition to support the business?

Srinivas: Once customers manage the device, the typical next steps are boosting employee productivity by giving access to apps for email, calendar, contacts (PIM) and then a browser. Beyond this stage, the apps required would be mobile access to content and docs through SharePoint, Box or other content repositories.

Taori: The next set of mobile apps are being built by enterprises for their employees, customers and business partners to help transform how they do business. We are seeing an increase in the number of apps being built and deployed, from a handful back in 2011 to double-digit numbers now. Examples are apps that help employees book tickets for business travel, file expense reports, take drink orders on the casino floor and more.

Can you provide one or two examples of specific app use cases?

Srinivas: Take the airline industry, for example. Pilots currently need to carry heavy flight manuals on every flight. These manuals change often and need to be reprinted before pilots can take them on their next flight. Now, with iPads, the bulky manuals can fit comfortably on a tablet and be updated automatically, giving pilots less to worry about and reducing weight on the plane to help fleets be more fuel-efficient.

Taori: Another example of an app use case in a health care setting, and one that is becoming very popular now, is secure texting. With it, physicians can securely send text messages to other physicians and nurses and discuss patient records while staying HIPAA-compliant. These communications are encrypted and self-destruct after a period of time. They can also be recalled and notify you when your message is read.

In terms of development, at which state would you recommend companies think about adding security?

Srinivas: They need to think about security from the design stage itself to see what data needs to be exposed, what can cause data breaches, and then look at how this can be protected. Typically, this done through an app security SDK or wrapping if the native OS doesn’t provide the security controls they are looking for.

Taori: Yes, app developers need to think about how they can instrument their applications to be able to be securely managed at the time of developing the application itself. This can be done using an app security SDK. For applications that have already been built, enterprise IT can secure them by using app wrapping, which requires zero code change. With the average total cost of a data breach to an organization exceeding $5 million now, enterprises need to think about where data is stored in an application and how can it be secured before the app is distributed.

What are the differences between SDK and app wrapping?

Srinivas: The SDK is a software development kit that needs to be used at the time of coding the app. This provides granular control to the developer to secure the app. App wrapping is after the fact, so it involves zero code changes. The customer can wrap the app with security policies after building it. Since this is post-compilation, it may not offer the same level of control as the SDK in terms of features offered.

Are there any unique SDK uses to wrap apps that you can share?

Srinivas: Data leakage prevention controls such as cut, copy and paste restrictions and open-in restrictions, data encryption and per-app VPN for access to behind the firewall resources and servers using the Mobile Enterprise Gateway™ are three ways organizations can use SDKs to wrap apps.

With the threat of malware growing each day, what is MaaS360 doing in terms of threat management for app security?

Srinivas: With malicious apps on the rise, it is critical that enterprises secure all the corporate data on mobile devices. MaaS360™ allows this to be done via a tiered approach at the device level (mobile device management), app level (mobile application management) or at a highly granular data level, where the customer can be in complete control of even the data within the apps through app security and content management.

At the device level, we have jailbreak detection, policies and compliance rules and geofencing, as well as integration with other best-of-breed solutions for mobile threat management, such as Trusteer. At the app level, application management allows for any app to be deployed, updated and deleted based on user group, device and user security posture. At the data level, the SDK and wrapping — plus content management — allow data to be containerized to a set of MaaS360-provisioned apps.

Taori: In addition, the MaaS360 platform can inform IT about which apps are risky with a risk rating as well as detect malware and take remediation action such as alerting or uninstalling malware.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today