With Mobility comes an inherent risk of security
The proliferation of wearable technologies and the lack of standards for applications that come with it will mean devices and enterprises will need to overhaul their security paradigms. Mobile personal devices are no longer only personal devices but are “all-in-one” devices that are used for personal as well as official communication needs. Use of personal devices for corporate communication are encouraged by many enterprises as it increases employee productivity. This is reflected in more and more enterprises moving towards adopting “bring-your-own-device” (BYOD).
However, with freedom comes responsibilities. BYOD approach has a downside of potential compromise on network security and on protection of private and business sensitive data. Mobile device applications that employees use for corporate communication store data unencrypted and in addition network connections and communication need not be always secure. This gives way for sensitive data being accessible to other applications and unauthorized or unintended device users. A compromised device or malware application can endanger other applications or device itself.
Nature of such threats and impact are dependent on the set of applications an enterprise need to have. Sensitivity and importance of a particular data and required level of protection also varies from enterprise to enterprise.
There are solutions available and coming up in the market today that can separate corporate sensitive data as well as defend security threats from malicious applications. However all these solutions are generic in nature and does not address specific needs. In such a scenario, right first step for any enterprise is to assess the app security risk in detail before deployment. A good assessment can help to understand the vulnerabilities of apps, severity, business impact and possibility of leakage of sensitive and important corporate data. Such understanding is the first hand information needed for IT to revise the policies or procure tools to combat the threats.
Technically, a good assessment of mobile device applications, should help understand
- set of possible attacks and vulnerabilities specific to the application and their severity of impact
- Business sensitive data that application will access and expose to other apps or over network
- Security of app generated data at rest authentication and authorization levels to access the app ability of application to perform remote wipe if the device is stolen/lost/hacked average usage levels of critical resources such as power, network bandwidth, CPU, memory etc.
- security of network connectivity when connecting to corporate VPN peer devices, web pages and other runtime connections of app and kind of data exchanged.
In reality, security assessment of mobile apps cannot be a one-time activity. Best results are when periodic assessments are performed and aligned with lifecycle activities of applications. An assessment exercise is only the first step to understand risks involved. It should be followed by a remediation stage where the vulnerabilities are covered up and necessary policy changes are made. A verification stage can then follow during which a re-assessment is performed to verify that actions in remediation stage have taken effect.
Method and approach towards assessment could be a combination of one or more techniques. Android applications, for example are java programs running on a dalvik JVM. A runtime environment can be setup in lab along with security test tools like penetration test tools trying to re-create the attack scenario. Another method would be to decompile the app binary and perform source code analysis. For detailed and in-depth analysis, instrumented JVMs or special purpose app container software also can be used. Often, a combination of above techniques are used.
Dunst Consulting offers deep expertise in network and security and has the capability to offer a comprehensive security assessment service exclusively for mobile apps. An “essential” assessment service inspects application for very serious and severe security threats. An “exclusive” assessment is a very detailed exercise and covers most of the security threats known in the app security landscape today.
Vinod Soman Nair