How can your organization expand usage of mobile applications, while effectively managing mobile security threats?

Security awareness is definitely growing. Increasingly, organizations understand the need, even the requirement, to protect sensitive mobile application data. However, based on my first-hand experience at Mobile World Congress 2014, organizations are concerned and frustrated about how they can make their mobile applications more secure – some to the point of being completely overwhelmed. With that in mind, I want to provide you with some best practices for mobile data protection based on my experience, which should help to allay your fears.

Case in point: In my discussion with an IT director at a Spanish hospital, the director was clearly aware of his organization’s need to protect patients’ data. Data privacy and protection laws established clear application data protection requirements for the director to pursue. However, the IT director appeared to be “stuck,” because he received conflicting pressure from medical professionals and patients to make information more readily available via mobile applications, but he also understood the inherent dangers of expanded availability. To further complicate matters, many of his colleagues at the hospital were cutting-edge mobile users, who pressured him to support the mobile devices they utilized on a daily basis. He didn’t know how to approach solving these complex and overlapping issues.  


Explore Mobile Application Development Platforms as a Launching-Point

Have you ever felt like the IT director in the example above, who was not sure of the next step to take? If your organization needs to develop customized web, native or hybrid mobile applications to support multiple mobile platforms, utilizing a mobile development framework can be a good place to start. A leading mobile application development platform will help you simplify and streamline mobile application development, making it easy for you to quickly develop feature-rich mobile applications and provide operational infrastructure to help secure applications once they’re deployed.

However, it’s imperative that you develop mobile applications securely in advance of their being deployed. The risk of potential “data leakage” mandates that your mobile applications be tested for security risk early in the software development lifecycle, in order for your privileged customer and organizational data to be protected.

OWASP recently updated their Mobile Top 10 Risks for 2014 list. The chart below is a result of that data and a representation of the mobile application threat landscape. Insecure data storage (Risk M2) and unintended data leakage (Risk M4) highlight the need to protect and encrypt sensitive information. In fact, unprotected data should never be written to a mobile device.

Identify Your Organization’s Data at Risk

The first step to protecting sensitive mobile application data is for you to identify what data require protection. Use of market and industry-leading application security tools makes it easier for you to quickly identify data at risk. This permits you to identify where data enters your applications, where it travels inside your applications, and where it leaves your applications. By offering you the ability to quickly identify where data leaves mobile applications, you’re provided with a “map” or a “blueprint” of all the places where data encryption should be applied.

In the race to provide mobile applications or update existing ones, many organizations don’t take the time or have the expertise to secure their applications. The pace of development and change is so rapid that, without the aid of automated application security testing solutions, your application security protection might be in a constant state of lagging behind the latest vulnerabilities, leaving you exposed to potential data breaches.

Integrate Application Security into your SDLC

On February 25th, IBM announced the latest version of our application security testing solution: IBM Security AppScan 9.0. The new release advances market-leading mobile application security capabilities, by providing seamless integration with IBM Worklight. Now in a single integrated development environment (IDE), mobile applications can be developed and security-tested at the same time.

The new AppScan release makes it convenient to secure native and hybrid mobile applications.  Comprehensive security analysis, coupled with a detailed understanding of IBM Worklight APIs, helps to prevent data leakage from mobile applications. AppScan identifies all the places where data leave applications and prioritizes security risks for developers, providing you with a collection of definitive security vulnerabilities.

By securing mobile applications as they’re developed, organizations realize the added benefit of protecting their enterprise data.  Now, with the integration of IBM Worklight with IBM Security AppScan, it’s more convenient and practical to secure mobile applications early in the software development lifecycle.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…