Chief Information Security Officers must adopt new practices when deploying enterprise apps on mobile devices.
Contributor: Laurence Goasduff
The digitalization of business processes and practices is relentless and inevitable. One trend, of interest to both businesses and hackers, is the increasing number of organizations that are developing mobile versions of their enterprise applications for employees and customers.
“The mobile environment is evolving and presents new vulnerabilities and threats,” said Dionisio Zumerle, research director at Gartner. “App developers lack mobile expertise and tend to apply traditional application development practices to mobile with a focus on functionality, not security.”
Why are things different on mobile devices? First, these devices, and any sensitive data they contain, are more likely to be lost or stolen. Second, new attacks are emerging that exploit mobile devices. Malware can be installed on adjacent devices to extract sensitive information. Electronic eavesdropping can intercept data being sent wirelessly between apps and organizations. Hackers can also repackage apps, add malicious code to them, and then reload them to app stores — a tactic that has been prevalent with banking apps.
Listed below are five ways in which chief information security officers (CISOs) can protect their organizations:
- Lock down app permissions — Mobile apps interact with a device’s firmware and hardware by gaining user permissions, either at the time of installation or during use. Links to a mobile device’s camera or microphone can have benefits for the user, but they also increase the risk to security. For business purposes, CISOs should minimize the permissions of each app to the ones strictly required to carry out their tasks.
- Don’t rely solely on client-side checks — User identity and app integrity validation checks should not be performed in isolation by the client. A hacker can easily bypass these checks to access sensitive enterprise data stored in the app. Server-side controls should be used for app authentication. If the information is really sensitive, incorporate behavioral and context checks, such as on the geographical location of login attempts.
- Look for third-party expertise and always test — CISOs should assess how they can best handle mobile app security. Some businesses will have the internal resources to dedicate to coding security controls, but these businesses are likely to be aggressive, early adopters of technology.
For most organizations, internally created security functionality will prove difficult to maintain and evolve. CISOs should consider architecting security code in an externalized way. Some may need to hire a consultancy or cloud service provider. Whether you go it alone, or use external support, always test apps before deployment using a third-party tool for app security testing.
- Harden applications — Reverse engineering is now a common technique for exposing system details and repackaging apps with malicious code. To help prevent it, start by obfuscating your software code using a third-party tool, which makes it harder for an attacker to understand what an app is doing.
- Perform regular health checks — Security is an ongoing concern, so perform platform health checks constantly to identify weak spots. For example, you can check whether a device has been “jail-broken” on iOS or “rooted” on Android by looking for evidence that inbuilt app sandboxing has been compromised. However, keep user privacy in mind, as health checks can be considered invasive as they sit on the boundary of the app to check the health of an overall device.
Gartner clients can read more in the following report: “Avoiding Mobile App Development Security Pitfalls.” Mr. Zumerle will provide additional analysis at the Gartner Identity & Access Management Summit 2016, which will take place on 14-15 March 2016 in London. You will be able to follow updates from the event on Twitter using the hashtag #GartnerIAM.
For more security related reports and articles visit Smarter With Gartner website.