/jun 17, 2015

Mobile App Security: Threats and Best Practices

By Pierluigi Paganini

Mobile device adoption is strategic for every industry, but it has inherent security risks that cannot be underestimated. Many companies offer their employees access to internal systems through mobile platforms; for this reason, an effective bring your own device (BYOD) policy that specifically addresses mobile app security is key.

A recent study from Veracode found the average global enterprise has approximately 2,400 unsafe applications installed on employees' mobile devices. That's alarming, especially if you consider that each of these applications could serve as the entry point for hackers seeking to access a corporate network and obtain sensitive data.

So what's a firm to do? Here's a closer look at the facts about mobile app security, and some best-practice tips that can help ensure you're as secure as possible.

Reports on the Threat Landscape

mobile applicationsFor its study, Veracode scrutinized hundreds of thousands of mobile applications running on mobile devices in corporate environments, finding that approximately 14,000 applications were unsafe. Of those, nearly 85 percent exposed sensitive device data, including phone location, phone contacts and SMS message logs. Researchers discovered the presence of unsafe applications in practically every industry, including manufacturing and financial services. The principal security issues observed were the exposure of sensitive data, the performance of "suspicious security actions" and the collection or sharing of personal information — all of which expose mobile users to serious risks of attack.

Additionally, a recent report published by Alcatel-Lucent's Motive Security Labs reported an estimated 16 million mobile devices worldwide have been infected by malware. The report states, "Mobile malware is increasing in sophistication with more robust command and control protocols."

The banking industry has been hit particularly hard by cyberattacks and security issues. The rapid spread of mobile banking services has caused a significant increase in the number of existing mobile applications, and, at the same time, the number of cybercrimes that target customers of major financial institutions. In fact, according to experts at RiskIQ, more than 11 percent — or 40,000 — of the 350,000 mobile apps that reference banking in the world's top 90 app stores contain malware or suspicious code; scarier still is the fact that some of those include a banking trojan.

Mobile App Security Best Practices

One of the most effective ways to improve app security is to secure the services to which apps connect. Too often, however, developers and service providers fail to do this. The combination of poor programming practices adopted by app developers, plus an inherent lack of security by design, exposes mobile users to several SSL/TLS vulnerabilities — including the dreaded Heartbleed.

In addition, the data presented above demonstrates the importance of urgently addressing mobile security from both the user and developer perspectives.

On the developer side, it is necessary that each app is developed by carefully following coding best practices, and then is continually assessed to identify potentially exploitable flaws. Unfortunately, many companies fail to address mobile app security, despite the fact most are aware of the risks of mobile apps. Only a small percentage of companies promote and conduct mobile app security by design, which can cause serious problems for users. Often, the hastened "rush to release" cycle is the factor that most impacts mobile app security today.

On the user side, it is important to keep mobile applications updated. It's also crucial users avoid jailbreaking or rooting devices, and that they never download mobile applications from untrusted third parties or unofficial app stores. To reduce the risk of incidents overall, firms with BYOD policies should include training on principal cyberthreats and best practices in their security policies.

Defending Mobile Platforms From Cyberthreats

The adoption of both behavioral and binary static analysis could help security teams at every company reduce their risk of exposure. Behavioral analysis allows code to be assessed in real time and makes it possible for the actions of all applications to be inspected in a controlled environment, such as a sandbox. Usually risk is evaluated by comparing the results of the behavioral analysis with behavioral patterns related to legitimate and malicious apps. The binary static analysis allows the rapid identification of malicious codes and flaws in the code of the applications.

Today, given the diffusion of mobile devices and increasing popularity of related services, mobile app security is no longer just an option — it's a necessity. Following best practices and relying on a third-party security expert is the best way to keep your firm safe in the face of this ever-changing threat landscape.


Related Posts

By Pierluigi Paganini

Pierluigi Paganini is Chief Information Security Officer at Bit4Id, Editor-in-Chief at "Cyber Defense Magazine," a member of the DarkReading Editorial team, and a regular contributor for major publications in the cyber security field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, and The Hacker News Magazine.