Mobile Apps Security-Is it a challenge?
Author: Jitendra Jain, Senior Technology Architect (HILife - Architecture & Design Group)
Mobile app security is one of the biggest talk of the current digital arena where we have seen a phenomenal traction. This major shift in the security landscape has drawn an utmost attention by mobile app vendors, mobile app developers and almost all small and big mobility enterprises including Google, Apple, Nokia, Samsung, Microsoft etc. Mobile app security can be defined as a way by which we protect mobile or smart devices from any kind of soft attack by the attackers or Hijackers from malware, harmful viruses and any other kind of illegal activities. Consequences of a mobile attack can be very severe in some instances where complete device data and controls are in compromised situation.
The term "Mobile app security" can also be referred to various kind of technologies and industry best practices to minimize the risk of exploits to mobile devices through their installed apps.
According to Gartner, "Mobile Data Protection (MDP) systems and procedures are needed to protect business data privacy, meet regulatory and contractual requirements, and comply with audits." Additionally, "Most companies, even if not in sensitive or regulated industries, recognize that encrypting business data is a best practice."
In another Gartner Research they have highlighted by 2020, the security breach of business critical and confidential sensitive data on a single endpoint will incur average mitigation costs of 70 times or more than the original price to implement encryption strategies and solutions on all the endpoints in an enterprise.
What Exactly Attackers Want? (**Mobile attack injection points**)
Need User Credentials
o To login to device
o To use external 3rd party services (email, banking info, business critical info etc.)
Need Your Personal Information ( **Identity info**)
o Full Name, PAN\TIN\ SSN\SIN
o Address book data ( Contact details )
o Geo Location data ( Coordinates for planning)
Cardholder's Secure Data
o Credit/Debit/Loyalty Card Numbers, Expiration dates, PIN, CVV ( Use for Cloning )
Hijack or Access to your device for
o Sniff your connections
o Misuse your device for Botnets, Spamming and for illegal activities
o Steal trade secrets or other sensitive confidential data
Major Vulnerabilities and Threats for Mobile Devices
Below are the main vulnerabilities and threats for mobile devices which causes issues in mobile securities.
- Usage and storage of bad data.
- Malware & phishing attacks
- Architectural and design flaws
- Unauthorized access
- Data leaks while syncing operations
- Data caching vulnerabilities.
- Week device encryption standards ( iOS platform is better than Android)
- Usage of un-trusted suspicious mobile devices and networks
- Usage of apps created by unknown parties, vendors
- Massive interaction with other non-reliable systems
- Use of un-trusted contents, resources and URLs
- Non- optimal usage of location services (GPS capabilities)
How to Secure Mobile Devices?
We can follow below tips and techniques to avoid major vulnerabilities and threats for securing our mobile devices.
- Always lock your device: maintain strong pass-codes and complex patterns to restrict illegal unauthorized device access
- Always know your apps before you use them: Know app details and download from trusted app stores
- Keep latest updated software: ensure to have latest app version with security patches
- Monitor data usage: Keep a red eye on daily or hourly mobile data usage statistics for active devices. High data usage scenarios could always be closely tracked and verified. Do monitor network activity as well on regular basis.
- Judge the mobile behavior: Always identify any kind of suspicious or malicious change in the behavior using appropriate software and tools
- Use of mobile security software: Use best in-class software's (anti-virus, anti-malware etc.)
- Optimal data caching technique: Avoid hard storage instead implement data caching approach so that the cached data can be automatically wiped every time the device reboots.
- Advanced app analysis: Keep performing advanced app security analysis regularly to detect known and unknown threats and vulnerabilities
- Strong security design policy: Enterprise security policies on the mobile device must be strong enough to protect the devices.
- BYOD Strategies: Enterprises that are embracing mobile computing and bring your own device (BYOD) concept seems very vulnerable to security breaches unless they really follow strong methods and latest cutting edge security tools and technologies for mobile application security testing and risk assurance.
Some Quick Tips to Protect your Mobile Device
- Do consider security features when buying a mobile or smart device
- Do configure your mobile device with security features
- Do configure proper web accounts to consume network provided secure wireless/ LAN type of connections (HTTPS/SSL)
- Never follow links shared by any unknown sender through any network mode like suspicious email or text/voice messages etc.
- Do consider information and data storage on the device
- Do you really need all available apps? Yes or No , think again before you install
- Plan and try to hold physical admin kind of control for the devices, it is especially true in open/ public or semi-public places.
- Always disable external interfaces if not in use (Infrared,Wi-Fi, Bluetooth, Hot-Spot)
- Always keep Bluetooth-enabled devices in non-discoverable mode
- Do not join any unknown Wi-Fi networks or public Wi-Fi hotspots. It is a big risk.
- Always clear memory after use or before you discard the device
- Be extreme careful whenever using social networking applications.
- Never "root" or "jailbreak" the device. Your device security may be on high risk
- Do act quickly if your mobile device is stolen
Standard Mobile Data Protection Solutions ( MDP)
For big enterprises it is always better to use standard mobile data protection ( MDP) solutions. There are lot of open sources and commercial platforms are available which we can choose and use based on business requirements. As per Gartner below are the leaders and visionaries in MDP space.