How to ensure mobile apps are secure for the enterprise

As the app revolution has gathered pace and smartphones and tablets have become ubiquitous, the importance of testing app security has grown. Many companies have embraced the BYOD trend. They may even have developed applications that enable employees to have 24/7 access to business data and tools. The benefits can be counted in productivity boosts and flexibility, but there is a real and present danger that is being ignored all too often.

How many of these enterprise apps have undergone security penetration testing? Could the mobile apps your business uses be jeopardizing your data security or even regulatory compliance?


What are the risks?

We are seeing a dramatic rise in the number of threats challenging IT departments globally through mobile platforms. Malware has become commonplace and Trojans are used to collect sensitive data from the host device. There is also a worrying growth in the number of online attacks that seek to exploit vulnerabilities in software. A staggering 56 percent of exploits blocked by Kaspersky in Q3 of 2012 used Java vulnerabilities.

Malware can find its way onto your employee’s smartphone via emails, text messages, spoofed websites, browser hi-jacks, and apps or other content they willingly download. If you consider that the device is a potential access point to your network, and that it’s likely configured for automatic entry, then you can start to see the risk.


Many app solutions are not secure

It’s important to have secure apps that are easy to use. Many employees will seek out their own tools for collaboration and may use popular cloud-based apps that are designed for the mass market. The trouble is that these apps are not designed for enterprise use and they don’t have enterprise level encryption.

Even when developers are engaged to create apps for businesses the security credentials are often an afterthought. You can’t assume that the developer will provide the level of security you require. It must be explicitly agreed in your contract and it must be tested and verified by a third-party. You cannot afford blind trust; there must be some form of due diligence.


Tips for secure apps

Consider how the app is accessing your network. You need to authenticate the user and encrypt data in transit and at rest. The process must be secure and fully tested for all of the mobile platforms that you intend to support, whether it’s Windows Phone, BlackBerry, Android, or iPhone iOS. Access to the app should necessitate some authentication from the user. Remote lock and wipe of data from mobile devices is essential in case the device falls into the wrong hands and passwords are pointless if automatic log-on is possible. You have to strike a balance between convenience and security.

You might be confident in your company firewall within the wired network of your office, but what happens when an employee connects to a public Wi-Fi hotspot? You need to consider deep packet inspection at the network gateway. Application traffic must be monitored carefully. Maintain an audit trail for all data access. Monitoring and reporting is often an important factor in meeting regulatory requirements. It’s also important to consider other device features such as SMS or Bluetooth, which could mix with the application layer.


Testing is essential

It’s one thing to outline your requirements, but quite another to verify that your shiny new enterprise app meets them fully. The only way to be certain is to conduct proper mobile security penetration testing. The ideal approach is to engage a third-party with no vested interest to put your app to the test. They will bring the right blend of skills and experience to bear. It’s not just about employing manual and automatic tools to audit your mobile application, but also the know-how in probing for weaknesses and to uncover vulnerabilities that can be exploited.

If you want to believe that your mobile apps are secure enough for enterprise use then you must put them through penetration testing. App developers can benefit enormously by including this process as part of the development cycle but since getting the app to market overrides concerns for security, far too few bother with pen testing. A few rounds of testing and tweaking can result in a secure app that’s fully credentialed and compliant with industry regulations. As a prospective buyer you should demand nothing less.


 Download our free eBook “Beware of BYOD”.


By Michelle Drolet, founder and CEO, Towerwall
Special to the Boston Business Journal & Mass High Tech

This article was recently published in Boston Business Journal

Mobile Devices Get Means For Tamper-Evident Forensic Auditing

Mobile Devices Get Means For Tamper Evident Forensic Auditing

The convenience of mobile devices has led to their rapid proliferation in the work place. But along with that convenience come security and compliance issues contributing to the degeneration of trust. Risk management for mobile devices is of rising concern, particularly in highly regulated industries such as healthcare and finance.

In order to detect security breaches and guarantee compliance, tamper “proofing” has not been sufficient. When it comes time for a forensic audit, the ability to detect unauthorised changes to digital files becomes invaluable in an investigation.

At the Black Hat conference, Mike Gault of Guardtime admitted how “Enterprises and government agencies don’t want to rely on trust authorities when it comes to ensuring transaction trails are secure. They’re looking for proof – an independent verifiable audit trail.”

The Institute of Internal Auditors says that internal audits are the leading method of detecting fraud among all industries. Compliance policies have, of course, requirements to provide clear audit traces, but that is not always sufficient. Having a means to more easily recognise tampering can improve audits by flagging digital files that have been adulterated or suffered deletions in the time since they were created.

Using tools to provide evidence of tampering rather than simply attempting to stop it can simplify and shorten investigation times for security breaches. These applications also shore up trust of mobile devices and the data they access or carry by validating it.

Keyless signature technology has been tapped to provide the best tamper-evident applications for mobile devices, cloud computing, and any other less-than-secure method of disseminating information. This method, rather than rely on keys, secrets, or other third party information, uses hash functions for data verification. This creates a signature indicating the time, integrity, and origin (business, computer, or user) of the information against which to compare the received file.

The method of keyless signature is highly scalable and benefits from the simplification of the validation method. Certification-based validation schemes are often very complex and have management issues such as the revocation or expiration of the validating instrument. In addition, keyless signatures can be appended to almost any type of file or file format and the signature stored separately from the file, embedded into the file, or as a separate file alongside the original if needed.

By integrating keyless signature technology with mobile risk management, government and enterprise can more easily comply with auditing policies. The forensic logs and audit records provided by these types of solutions are extremely transparent. Not only is the data and device validated, the audit trail itself is secured.

Says Rick Segal, CEO of mobile risk management provider Fixmo: “When it comes to proving compliance, the ability to verify a document’s integrity before and after a transfer is just as important as ensuring the data it contains is accurate and verified. The integration of keyless signatures and mobile risk management ensures our customers can confidently prove compliance in an auditable fashion across all corporate-liable and employee-owned (BYOD) devices on their network.”

Gartner announced that for 2012 cloud computing will become more mainstream with a 10X increase in deployments. Tamper-evident forensic auditing is not only a requirement for compliance of mobile devices; it will also serve to enhance cloud computing security and trust as well.

By lessening dependence on third party trust instruments and easily integrating with almost any file system, keyless signatures improve data integrity and provide a means of showing proof of authenticity for each mobile device in use.


 Download our free eBook “Beware of BYOD”.


By Michelle Drolet, founder and CEO, Towerwall
Special to Business Computing World

This article was recently published in Business Computing World