Securing Your Mobile Applications Doesn’t Have to Be So Overwhelming

How can your organization expand usage of mobile applications, while effectively managing mobile security threats?

Security awareness is definitely growing. Increasingly, organizations understand the need, even the requirement, to protect sensitive mobile application data. However, based on my first-hand experience at Mobile World Congress 2014, organizations are concerned and frustrated about how they can make their mobile applications more secure – some to the point of being completely overwhelmed. With that in mind, I want to provide you with some best practices for mobile data protection based on my experience, which should help to allay your fears.

Mobile World CongressCase in point: In my discussion with an IT director at a Spanish hospital, the director was clearly aware of his organization’s need to protect patients’ data. Data privacy and protection laws established clear application data protection requirements for the director to pursue. However, the IT director appeared to be “stuck,” because he received conflicting pressure from medical professionals and patients to make information more readily available via mobile applications, but he also understood the inherent dangers of expanded availability. To further complicate matters, many of his colleagues at the hospital were cutting-edge mobile users, who pressured him to support the mobile devices they utilized on a daily basis. He didn’t know how to approach solving these complex and overlapping issues.  

Explore Mobile Application Development Platforms as a Launching-Point

Have you ever felt like the IT director in the example above, who was not sure of the next step to take? If your organization needs to develop customized web, native or hybrid mobile applications to support multiple mobile platforms, utilizing a mobile development framework can be a good place to start. A leading mobile application development platform will help you simplify and streamline mobile application development, making it easy for you to quickly develop feature-rich mobile applications and provide operational infrastructure to help secure applications once they’re deployed.

However, it’s imperative that you develop mobile applications securely in advance of their being deployed. The risk of potential “data leakage” mandates that your mobile applications be tested for security risk early in the software development lifecycle, in order for your privileged customer and organizational data to be protected.

OWASP recently updated their Mobile Top 10 Risks for 2014 list. The chart below is a result of that data and a representation of the mobile application threat landscape. Insecure data storage (Risk M2) and unintended data leakage (Risk M4) highlight the need to protect and encrypt sensitive information. In fact, unprotected data should never be written to a mobile device.

2014 OWASP Top 10 Mobile Risks

Identify Your Organization’s Data at Risk

The first step to protecting sensitive mobile application data is for you to identify what data require protection. Use of market and industry-leading application security tools makes it easier for you to quickly identify data at risk. This permits you to identify where data enters your applications, where it travels inside your applications, and where it leaves your applications. By offering you the ability to quickly identify where data leaves mobile applications, you’re provided with a “map” or a “blueprint” of all the places where data encryption should be applied.

In the race to provide mobile applications or update existing ones, many organizations don’t take the time or have the expertise to secure their applications. The pace of development and change is so rapid that, without the aid of automated application security testing solutions, your application security protection might be in a constant state of lagging behind the latest vulnerabilities, leaving you exposed to potential data breaches.

Integrate Application Security into your SDLC

On February 25th, IBM announced the latest version of our application security testing solution: IBM Security AppScan 9.0. The new release advances market-leading mobile application security capabilities, by providing seamless integration with IBM Worklight. Now in a single integrated development environment (IDE), mobile applications can be developed and security-tested at the same time.

The new AppScan release makes it convenient to secure native and hybrid mobile applications.  Comprehensive security analysis, coupled with a detailed understanding of IBM Worklight APIs, helps to prevent data leakage from mobile applications. AppScan identifies all the places where data leave applications and prioritizes security risks for developers, providing you with a collection of definitive security vulnerabilities.

By securing mobile applications as they’re developed, organizations realize the added benefit of protecting their enterprise data.  Now, with the integration of IBM Worklight with IBM Security AppScan, it’s more convenient and practical to secure mobile applications early in the software development lifecycle.

Tom Mulvehill

Program Director, IBM BigFix Offering Management

Tom Mulvehill is the Program Director for IBM BigFix Offering Management. He is an established security professional...