Skip to main content

Watching the tide of mobile apps come in

Those who have been in the IT industry for 20 years or more will have witnessed enough changes to fill the sea twice over.

Each change is necessary, but some are more interesting than others. For example, the rise of mobile applications is undoubtedly one of the biggest waves of change to hit the world of business.

With consumer mobile apps such as video games and social media, it is easy to spot security vulnerabilities if you are someone with a background in the field. However, mobile app developers don’t always possess a deep knowledge of security, which can ultimately leave their applications open to risk that may not have even occurred to them. Personally, I have been involved with the Public Key Infrastructure side of security since the start of my career, when I helped develop applications for the U.S. government. As such, security has always been my first consideration, so one of the first points I sought to clarify at the when mobile app first emerged was to find out who is responsible for distributing and managing mobile security certificates.

Awareness of the mobile-app-security issue has gone mainstream in the wake of recent certificate-related incidents that have captured consumers' attention. Legions of coffee drinkers deleted the Starbucks mobile apps in response to hacks that parlayed the company’s weak security into direct access to customers' bank and credit card accounts. Similarly, the OnStar RemoteLink app's weak certificate checks enabled hackers to track, unlock, and even start GM cars remotely, which made GM drivers think hard about using the vehicle manufacturer’s mobile app. GM fixed the issue, but many of its rivals seemed to have ignored it; recently, a hacker exploited the very same certificate weakness in iOS applications for BMW, Mercedes, and Chrysler.

Problems like these show just how crucial digital keys and certificates are; indeed, they are the foundation of security for all connected devices. Yet with even the most conservative organisations developing business applications for mobile devices today, keeping track of them has become difficult.

As I write this, businesses continue to expose information that was previously restricted to their own networks. To further muddy the mobile-security waters, the ‘Bring Your Own Device’ revolution has meant that employees are accessing business information using devices that are outside of organisational control. All of this has made verifying digital certificates that much more difficult. Yet until these conditions change, cybercriminals will be able to misuse digital certificates and take advantage of company or employee data residing on mobile devices, simply because it's easy to do.

To prevent this from happening, mobile app developers must be able to secure and protect their cryptographic keys and digital certificates. Organisations need to use a cybersecurity tool that allows developers to discover and control certificates on mobile devices. Just as the human immune system patrols the body to identify pathogens and anomalies, such tools patrol mobile devices on networks to identify certificate anomalies and risks to rapidly revoke problem certificates.

They also integrate with most mobile device management (MDM) solutions to help enforce businesses established policies, which can keep them afloat on a sea of regulations and security requirements.

Hari Nair, Director, product management, Venafi

Image source: Shutterstock/Lenka Horavova