As the app revolution has gathered pace and smartphones and tablets have become ubiquitous, the importance of testing app security has grown. Many companies have embraced the BYOD trend. They may even have developed applications that enable employees to have 24/7 access to business data and tools. The benefits can be counted in productivity boosts and flexibility, but there is a real and present danger that is being ignored all too often.
How many of these enterprise apps have undergone security penetration testing? Could the mobile apps your business uses be jeopardizing your data security or even regulatory compliance?
We are seeing a dramatic rise in the number of threats challenging IT departments globally through mobile platforms. Malware has become commonplace and Trojans are used to collect sensitive data from the host device. There is also a worrying growth in the number of online attacks that seek to exploit vulnerabilities in software. A staggering 56 percent of exploits blocked by Kaspersky in Q3 of 2012 used Java vulnerabilities.
Malware can find its way onto your employee’s smartphone via emails, text messages, spoofed websites, browser hi-jacks, and apps or other content they willingly download. If you consider that the device is a potential access point to your network, and that it’s likely configured for automatic entry, then you can start to see the risk.
It’s important to have secure apps that are easy to use. Many employees will seek out their own tools for collaboration and may use popular cloud-based apps that are designed for the mass market. The trouble is that these apps are not designed for enterprise use and they don’t have enterprise level encryption.
Even when developers are engaged to create apps for businesses the security credentials are often an afterthought. You can’t assume that the developer will provide the level of security you require. It must be explicitly agreed in your contract and it must be tested and verified by a third-party. You cannot afford blind trust; there must be some form of due diligence.
Consider how the app is accessing your network. You need to authenticate the user and encrypt data in transit and at rest. The process must be secure and fully tested for all of the mobile platforms that you intend to support, whether it’s Windows Phone, BlackBerry, Android, or iPhone iOS. Access to the app should necessitate some authentication from the user. Remote lock and wipe of data from mobile devices is essential in case the device falls into the wrong hands and passwords are pointless if automatic log-on is possible. You have to strike a balance between convenience and security.
You might be confident in your company firewall within the wired network of your office, but what happens when an employee connects to a public Wi-Fi hotspot? You need to consider deep packet inspection at the network gateway. Application traffic must be monitored carefully. Maintain an audit trail for all data access. Monitoring and reporting is often an important factor in meeting regulatory requirements. It’s also important to consider other device features such as SMS or Bluetooth, which could mix with the application layer.
It’s one thing to outline your requirements, but quite another to verify that your shiny new enterprise app meets them fully. The only way to be certain is to conduct proper mobile security penetration testing. The ideal approach is to engage a third-party with no vested interest to put your app to the test. They will bring the right blend of skills and experience to bear. It’s not just about employing manual and automatic tools to audit your mobile application, but also the know-how in probing for weaknesses and to uncover vulnerabilities that can be exploited.
If you want to believe that your mobile apps are secure enough for enterprise use then you must put them through penetration testing. App developers can benefit enormously by including this process as part of the development cycle but since getting the app to market overrides concerns for security, far too few bother with pen testing. A few rounds of testing and tweaking can result in a secure app that’s fully credentialed and compliant with industry regulations. As a prospective buyer you should demand nothing less.
By Michelle Drolet, founder and CEO, Towerwall
Special to the Boston Business Journal & Mass High Tech
This article was recently published in Boston Business Journal