Discover PerformanceHP Software's community for IT leaders // October 2012
Application security in the age of mobile
Mobile apps offer new challenges in an era of rising attacks. Security leaders need to identify risks and instill best practices for a new era.
Mobile functionality is no longer optional. Developers are learning to code for mobile, and the nature of the fast-growing mobile space means a greater rush to get apps and updates into the field. Mobile presents a particularly complex landscape that includes the device, network traffic and the server—and higher pressure to roll out apps and updates faster.
Despite the risks, the 2012 Global State of Information Security Survey, conducted by PricewaterhouseCoopers and CIO and CSO magazines, found that fewer than half of the executives and IT chiefs polled had implemented safeguards to protect the enterprise from security hazards that mobile devices and social media can introduce. And just 43 percent have a security strategy for employee use of personal devices, with only 37 percent reporting a security strategy for mobile devices.
Security leaders need to consider the unique aspects of the mobile realm to not only maintain the security practices of traditional development, but to improve on them.
In a recent Tech Dossier article, Wendy Nather, enterprise security research director at 451 Research, says developers “are used to writing for a web app that runs on a server behind a firewall and the end-client is very thin. They are not used to thinking in terms of actual code executing on the mobile device, where there is a thicker client and it’s in a hostile environment.” For mobile apps, that often includes third-party distribution channels over which you have no direct control.
Identifying mobile app security gaps
Many enterprises outsource mobile app development because of the scarcity of in-house expertise. But it’s a rare third-party mobile app developer who can offer enterprise customers the level of security acumen truly required. So companies may “have three different systems integrators building three one-off applications for different platforms, with none of the existing corporate governance and process,” says Jacob West, director of software security research at HP. This results in insecure apps.
And an insecure mobile app may be a particularly large threat. Mobile devices often contain personal information, may incorporate powerful tracking capabilities and, in the case of business users, provide access to sensitive enterprise applications. Mobile app developers commonly write code that stores passwords and other sensitive data—from proprietary corporate information to consumer credit card accounts—unencrypted on devices.
“There are some pretty complex permissioning and communications schemes that have been set up for how applications can shuffle data between themselves and the OS and between multiple apps,” West says. These schemes represent a vital security feature, but developers often fail to understand and implement them.
Further complicating the situation is that mobile apps rely on a multitude of third parties: handset makers, network service providers and app stores. So if a customer cries foul over a breach, there’s no straightforward way to assess liability.
Security best practices for mobile apps
“What I think we are missing so far is a secure software development lifecycle that is customized for mobile applications,” Nather says.
In the meantime, you must apply existing tools and best practices to new ways of developing and outsourcing applications. Your first steps:
- Adapt software initiatives, governance policies and training to specifically encompass mobile development and security.
- When dealing with outside developers, specify the security performance and features that are required and demand source code and a functioning runtime against which they can verify and test application security.
- Emphasize testing to find problems in your code, particularly as your developers are adapting to the needs of the mobile era.
The bottom line
Mobile application security requires rethinking traditional approaches so that good software development processes are not lost in the rush to market. Information technology and security leaders must assess their application security and plug all the holes opened by mobility, while helping to build a process that bakes security in from the start, rather than making it a last-step bottleneck.