Are mobile apps truly enterprise-secure?

Many companies have embraced the BYOD trend. They may even have developed applications that enable employees to have 24/7 access to business data and tools. The benefits can be counted in productivity boosts and flexibility, but there is a real and present danger that is being ignored all too often.

How many of these enterprise apps have undergone security penetration testing? Could the mobile apps your business uses be jeopardising your data security or even regulatory compliance?

What are the risks?

We are seeing a dramatic rise in the number of threats challenging IT departments globally through mobile platforms. Malware has become commonplace and Trojans are used to collect sensitive data from the host device.

There is also a worrying growth in the number of online attacks that seek to exploit vulnerabilities in software. A staggering 56% of exploits blocked by Kaspersky in Q3 of 2012 used Java vulnerabilities.

Malware can find its way onto your employee’s smartphone via emails, text messages, spoofed websites, browser hijacks, and apps or other content they willingly download. If you consider that the device is a potential access point to your network, and that it’s likely configured for automatic entry, then you can start to see the risk.

Many app solutions are not secure

It’s important to have secure apps that are easy to use. Many employees will seek out their own tools for collaboration and may use popular cloud-based apps that are designed for the mass market. The trouble is that these apps are not designed for enterprise use and they don’t have enterprise level encryption.

Even when developers are engaged to create apps for businesses the security credentials are often an afterthought. You can’t assume that the developer will provide the level of security you require. It must be explicitly agreed in your contract and it must be tested and verified by a third-party. You cannot afford blind trust; there must be some form of due diligence.

Tips for secure apps

Consider how the app is accessing your network. You need to authenticate the user and encrypt data in transit and at rest. The process must be secure and fully tested for all of the mobile platforms that you intend to support, whether it’s Windows Phone, BlackBerry, Android, or iPhone iOS.

Access to the app should necessitate some authentication from the user. Remote lock and wipe of data from mobile devices is essential in case the device falls into the wrong hands and passwords are pointless if automatic log-on is possible. You have to strike a balance between convenience and security.

You might be confident in your company firewall within the wired network of your office, but what happens when an employee connects to a public Wi-Fi hotspot? You need to consider deep packet inspection at the network gateway.

Application traffic must be monitored carefully. Maintain an audit trail for all data access. Monitoring and reporting is often an important factor in meeting regulatory requirements. It’s also important to consider other device features such as SMS or Bluetooth, which could mix with the application layer.

Testing is essential

It’s one thing to outline your requirements, but quite another to verify that your shiny new enterprise app meets them fully. The only way to be certain is to conduct proper mobile security penetration testing. The ideal approach is to engage a third-party with no vested interest to put your app to the test.

They will bring the right blend of skills and experience to bear. It’s not just about employing manual and automatic tools to audit your mobile application, but also the know-how in probing for weaknesses and to uncover vulnerabilities that can be exploited.

If you want to believe that your mobile apps are secure enough for enterprise use then you must put them through penetration testing. App developers can benefit enormously by including this process as part of the development cycle but since getting the app to market overrides concerns for security, far too few bother with pen testing.

A few rounds of testing and tweaking can result in a secure app that’s fully credentialed and compliant with industry regulations. As a prospective buyer, you should demand nothing less.

By Michelle Drolet, founder and CEO, Towerwall
Special to AppsTechNews.com

This article was recently published in www.AppsTechNews.com

A case for the Growing Need for Application Security.

Islamist Element in Attacks.

A pro-Islamic, anti-American hacking campaign appears to have jumped the gun and started early with hundreds of sites being compromised today.

Set to take place on May 7 this month – thought to be US time – and targeting government sites in the US, Israel and India, the campaign is called #OpUSA. It is coordinated mainly through Twitter and postings on sites like Pastebin, with an unknown amount of participants.

However, lists of compromised sites are already appearing, with a group called “X-Blackerz Inc” claiming to have hacked “100 US websites”, posting anti-American messages.

iTnews loaded some of the sites listed which have India-related domain names, and found them defaced.

Elswhere, a group calling itself Charaf Anons posted a list of 73 defaced sites on Pastebin.

hack

Website defaced by Charaf Anons

 

The website of the Honolulu, Hawaii Police Department was also claimed to be hacked, but as of writing, it is not defaced and operates normally. However, the hackers say they have captured databases that include the Honolulu Police Department staff logins and passwords. Another one was also posted with names and phone numbers that iTnews was able to verify as belonging to police officers in Honolulu.

There is more to come: on May 7, the hackers are threatening to release a trove of “all governments emails of USA” [sic] captured by them.

anonghost

From the Anonghost Twitter account

Security researcher Analysis Intelligence believes OpUSA features “self-proclaimed online freedom fighters” such as the Pakistani ZCompany Hacking Crew and Palestinians Izz ad-Din al-Qassam Cyber Fighters.

These and other groups have hacked thousands of websites in the past, leaked credit card information for American and Israeli individuals and launched denial of service attacks against US banks, according to Analysis Intelligence.

The motive for the OpUSA attacks are political, seeking revenge against drone attacks and military action in Iraq, Afghanistan, Gaza and Pakistan, the analysts believe.