Organizations must take steps to ensure mobile applications don’t create security and privacy risks.
It’s all about the apps.
Mobile devices such as tablets and smartphones have fundamentally changed business processes over the past few years by providing unprecedented connectivity and driving new levels of productivity, efficiency and job satisfaction. What makes these devices powerful business tools rather than just fun electronic toys is the ever-expanding ecosystem of mobile applications.
Billions of purpose-built apps are downloaded each year, allowing users to access real-time business data, automate key processes and gain powerful insights. Equally important, organizations have greatly expanded efforts to create mobile versions of all the enterprise apps they’ve been using for years.
However, the growth of mobile apps is matched with an inevitable rise in security issues.
Attackers are increasingly seeking — and finding — vulnerabilities in mobile apps that can expose both business and personal data to risk. According to Gartner analysts, 75 percent of mobile apps fail the most basic of security tests.
“Most enterprises are inexperienced in mobile application security,” said Dionisio Zumerle, principal research analyst at Gartner. “Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security.”
Mobile Malware Increasing
Other studies seem to support Gartner’s findings. A recent report from Alcatel-Lucent’s Motive Security Labs division says that malware infections in mobile devices increased by 25 percent in 2014. The firm estimates that 16 million mobile devices worldwide have been infected.
The report claims mobile malware is increasing in sophistication, with more robust command and control protocols. Six of the top 20 mobile threats in 2014 were mobile spyware apps designed to track a device’s location, monitor incoming and outgoing calls and text messages, monitor emails and track the victim’s Web browsing.
Malware growth continues to be aided by the fact that the vast majority of mobile device owners do not take proper device security precautions. The Motive Security Labs survey found that 65 percent of subscribers expect their service provider to protect both their mobile and home devices.
“With malware attacks on devices steadily rising with consumer ultra-broadband usage, the impact on customer experience becomes a primary concern for service providers,” said Patrick Tan, General Manager of Network Intelligence at Alcatel-Lucent. “As a result, we’re seeing more operators take a proactive approach to this problem by providing services that alert subscribers to malware on their devices along with self-help instructions for removing it.”
Proactive Testing is Key
Still, businesses can’t afford to depend solely upon software vendors and service providers for the security of their mobile computing environment. Gartner says it is imperative that organizations develop their own methods and technologies for mobile application security testing and risk assurance.
Gartner expects existing static application security testing (SAST) and dynamic application security testing (DAST) vendors will modify and adjust these technologies to address mobile application cases and meet mobile application security testing challenges. Although SAST and DAST have been used for the past six to eight years and have become reasonably mature, mobile testing is a new space, even for these technologies.
In addition to SAST and DAST, a new type of test — behavioral analysis — is emerging for mobile applications. The testing technology monitors a running application to detect malicious or risky behavior in the background. For example, this test would raise a red flag if an active audio player accesses a user’s contact list or geolocation and initiates data transmission to some external IP address.
Testing the Server Layer
Testing the client layer — the code and graphical user interface — of the mobile application that runs on the mobile device is not enough. The server layer should be tested as well. Mobile clients communicate with servers to access an enterprise’s applications and databases. Failure to protect a server creates the potential for highly damaging database breaches. Code and user interfaces of these server-side applications should therefore be tested with SAST and DAST technologies.
Gartner predicts that through 2017, 75 percent of mobile security breaches will be the result of application misconfigurations rather than deeply technical attacks on mobile devices. A classic example of misconfiguration is the misuse of personal cloud service through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that typically go undiscovered.
“Today, more than 90 percent of enterprises use third-party commercial applications for their mobile BYOD strategies, and this is where current major application security testing efforts should be applied,” said Zumerle. “App stores are filled with applications that mostly prove their advertised usefulness. Nevertheless, enterprises and individuals should not use them without paying attention to their security. They should download and use only those applications that have successfully passed security tests conducted by specialized application security testing vendors.”