Mobile is more than just deploying an app to a store. It’s about having a concept—what a mobile solution should accomplish and how it should look and behave (for example, a storyboard). Most apps except games are not self-contained; they need to connect to back-end servers. Users have high expectations for usability, appearance and behavior. Mobile solutions need to be designed for short and focused interactions, keeping interruptions in mind, since they’re very common. They should be usable even when one lacks wireless coverage. Mobile does not necessarily mean on the go; it means always with me.
Uniqueness of mobile
Besides user requirements, companies face security challenges in the business to customer (B2C), business to business (B2B) and business to employees (B2E) spaces, because mobile devices are very different from classic desktop environments:
- They are shared more often, for example with family and friends or among co-workers, and they make it easy to share information like pictures and files through social networks or public cloud storage services.
- They have multiple personas and incorporate tools for work and apps for entertainment, as well as organize your personal and corporate life.
Mobile devices are diverse when you consider their platform, operating system version, vendor, carrier and app development / delivery model. Since smartphones and tablets are still pretty new to IT, with just three to five years of revolutionary history, mobile operating systems are immature for enterprise management compared to desktop environments.
Smartphones and tablets are often used in a diverse set of locations, anywhere and anytime, being connected to public, private, enterprise and cellular networks. Thereby, they are more likely to be stolen or lost.
Adoption of mobile devices is growing in the enterprise. Users of smartphones and tablets like to use personal devices for work since they are familiar with their usability and handiness. Organizations are starting to view bring your own device (BYOD) for its business value, and organizations do recognize the competitive differentiation it can offer to them.
Mobile security challenges
To meet users’ requirements and to provide and maintain enterprise-class mobile services, you need a mobile strategy! One pillar of a mobile strategy is mobile security.
1. Achieve data separation and provide data protection
Mobile solutions should offer their users and providers protection of the incorporated data—both personal data (such as bank account information) and corporate data (such as reports or other confidential material). They should prevent data leakage into and out of the enterprise, which isn’t always easy if there’s no clear separation of personal and corporate data.
2. Adapt to the consumerization of IT
IT departments have to cope with a huge set of unique endpoints when declaring standards, security policies and threat protection mechanisms, since we are talking about a heterogeneous landscape: multiple platforms and variants, multiple providers, managed devices (B2E) and unmanaged devices (B2B, B2E, B2C).
Mobile operating systems prioritize the user, and conflicts with user experience are mostly not tolerated. The operating systems’ architecture puts the user in control; therefore it’s difficult for companies to enforce policies and control app installations on corporate or personally owned devices.
3. Provide secure access to enterprise services and data
Applications and services need to be composed in a secure way to make sure that only authorized users access security-sensitive services. They should consider the identity of the users and devices through authentication and authorization. It is essential to guarantee end-to-end security by offering secure connectivity to enterprise services. Channels need to be secured as well, to ensure that communication with trusted parties is not observable by unauthorized users when one is connected to a public, private or cellular network.
4. Develop secure mobile solutions
To prevent security vulnerabilities from entering applications during development, application scanning and certification should be part of the application lifecycle right from the beginning.
Before applications are deployed in an mobile application store, it is necessary to verify their integrity to make sure that they
- Do not accept untrusted input,
- Do not leak confidential information, and
- Do not violate any access control policy.
When developing or maintaining mobile solutions, don’t think of user requirements and secure mobile solutions as a trade-off.
Existing applications can be secured by keeping these four phases in mind:
- Discovery: This requires building an inventory of all the applications and services available in the enterprise, whether they originate internally, from third-party or from open-source.
- Evaluation: Each application and service must be evaluated to determine what it is supposed to do.
- Risk profile: Static and dynamic application scanning is required to detect deviations from the evaluation.
- Rating: Applications can be assigned a rating based on the evaluation and the risk profile.
During the development of new applications security considerations need to be part of the application lifecycle at every stage by keeping these four phases in mind:
- Design: Security requirements should be part of the application from the very beginning of the application lifecycle, when the application is designed.
- Development: During development, code should be periodically scanned (ideally every day) to make sure that vulnerabilities are eliminated as early as possible during the application lifecycle.
- Build: Application scanning needs to be performed as part of the application build process.
- Quality assurance: All the components of the applications should be analyzed through a combination of static and dynamic analysis.