The downside of DIY app security in the mobile enterprise

null

Enterprises are increasingly turning to mobile apps to make their core business processes more efficient, engage more directly with their customers, and extract additional value from their digital initiatives. Some even envision the mobile app interface as the face of the future.

But it’s a long way from enthusiasm to enterprise-wide adoption. So what’s standing in the way? In a word, security. According to the Ponemon Institute, 79 per cent of respondents in the 2017 Study on Mobile IoT Application Security say that the use of mobile apps significantly increases security risk. 

Securing mobile apps is never easy, and app security often takes a back seat to ensuring that mobile apps are ergonomic. Just as we don’t expect security experts to be adept at developing functional, visually appealing apps, we shouldn't expect app developers to be experts in secure network transmission protocols, encryption, or certificate validation.

The distinct attributes of mobile app security 

Securing an app is different from securing a network. Traditional enterprise security focuses on combating malware, phishing, and advanced persistent threats, and the security measures that protect networks and other systems against such exploits are well defined. But mobile app developers have many more elements to consider. Developers must take into account authentication schemes, encryption, network connections, data transmission, access to back-end storage, APIs, and highly powerful mobile and IoT devices that are increasingly beyond the control of the corporations whose apps and data run on them.     Nearly 25 per cent of all mobile apps incorporate at least one of these high-risk security flaws.  In 2016, the mobile app-testing organisation, NowSecure, analysed more than 400,000 apps in the Google Play store and found that 10.8 per cent leaked sensitive data over the network, such as a user’s name and credentials, GPS data, and the device’s media access control (MAC) address. And business apps were found to be three times more likely to leak usernames and passwords than the typical non-business app.

App security—mobile or otherwise—is more challenging than device security, because software has many more exploitable “holes.”  According to the Open Web Security Project, enterprise applications are currently prey to a number of critical risks, including: 

Cross-site scripting
Broken authentication and session management
Insecure direct object references
Cross-site request forgery
Security misconfiguration
Failure to restrict URL access
Insecure cryptographic storage
Insufficient transport layer protection
Unvalidated redirects and forwards

Encryption is king

Many developers try to “roll their own” encryption, but encryption is complex and offers countless opportunities for failure. A report on mobile trading app security found that more than 60 per cent of Android and iOS mobile apps failed to validate SSL certificates, left sensitive data in the logging console, failed to store data securely, or contained hardcoded secrets. Even worse, more than 95 per cent of these apps did not detect whether they were running on jailbroken or rooted devices or did not support privacy mode. When security is so critical to a business, why are app vulnerabilities so prevalent and so overlooked? One clear reason is perceived cost. Building security in from the beginning and testing throughout the development process is costly. 

Yet, according to an IBM Development Solutions white paper, fixing security bugs in production software can be 30 times more expensive than addressing them during development. Another reason is the fear that security will impede performance or compromise usability. When mobile apps are slow or cumbersome, users silently abandon them. Adding security measures after the app is developed can create compatibility issues, delay delivery of an app, or require expensive rework—all undesirable. Finally, the pressure to deliver an app quickly can make it more tempting to avoid the hard work of securing it correctly.

One of the primary reasons for data leaks, unsafe data storage, unsecured data transmission, and hardcoded passwords and keys is a failure to implement encryption correctly. Encryption is more difficult in the mobile environment, where apps must generally connect to a server, persistently or episodically, to fully function. But when enterprise mobile apps connect to, process, or store sensitive corporate data, local app-level encryption on the device and app-specific encryption in transit become essential.

Endgame: Seamless mobile app security without tradeoffs

  Mobile security solutions must offer organisations secure, scalable, and user-friendly capabilities that can safely and seamlessly protect and securely connect their mobile apps to sensitive systems of record. By focusing on securing the app itself, enterprises can offer the benefits of secure mobility to improve business or organisational outcomes.

Ultimately, businesses need to accelerate secure mobile app delivery and adoption. Invasive and restrictive mobile security solutions have become a barrier to app adoption and can be a primary reason for app abandonment. Apps must be secure and easy to use, because when users abandon a company’s mobile apps and seek alternatives, they can inadvertently increase risk to the organisation through unsecured apps. Given the number of intrusive and unintuitive security solutions currently in the data protection market, security vendors who are committed to simplifying how data is secured are well poised to succeed. 

The last word—and it’s good news

We are currently seeing significant changes in mobile app security. Users can now add comprehensive enterprise-grade security to mobile apps without hand-coding or compromising usability. Some security companies are even lifting the full burden of mobile app security from the app developer, relieving the developer of any responsibility for overall effectiveness. And we now have results proving that in-app, embedded security helps organisations automatically protect already developed apps. 

Users can upload an app, select the desired security policies, and the app is secure — with no coding required. To keep your data safe and your mobile users happy, remember to opt for secured apps that are simple to download from enterprise or public app stores. Keep an eye out for innovative capabilities, such as code obfuscation and anti-tampering features, that prevent reverse engineering once the app is deployed. The good news is that you can now have best-in-class mobile app security—without having to become a security expert.

John Aisien, CEO and Co-Founder, Blue Cedar
Image Credit: Andrea Danti / Shutterstock