Mobile app security in a BYOD environment

Mobile app security is a major issue, says Brent Whitfield, CEO of DCG Technical Solutions.

Popular apps for your smartphone can be convenient, and increase productivity but can also carry malware which gives hackers easy access to your personal or company sensitive information. Mobile security firms and experts consistently report that somewhere between 75% and 100% of all apps have been hacked.

In 2015, Gartner claimed that 75% of all mobile applications failed basic security tests. And an IBM study found that 40% of large companies aren’t scanning the apps that they build for customers for security vulnerabilities.

Mobile apps are vulnerable to attacks

First of all, it is easy to hack an app. There are freely available tools on the market that can reverse engineer the binary code of an app back to the source code.

And the resulting reverse engineered code is close to the original source code. The hacker can then analyze the source code and extract sensitive information or identify security vulnerabilities.

That allows the hacker to find the optimum attack vector; code modification or payload insertion. Or, when the hacker has the original source code, he can settle on a method swizzling approach.

Method swizzling is a technique that allows a runtime code substitution without modifying the source code. With the detailed knowledge of the source code, the hacker can then develop a malicious app that replaces a method call – of, for example, a banking app – with his own method call to divert a financial transaction.

So mobile app security starts with application design and coding.

Second, as mentioned in the previous paragraph most of the available apps have already been hacked. So the download of an innocent app with a malicious payload – that is controlled by a command & control server – allows the hacker to query all apps on a device and structure his attack vector.

Mobile app security management in a BYOD environment

You have built a secure mobile application, and tested and resolved the security vulnerabilities. But as secure as an application is, its security relies on the security of the mobile device.

Jail broken devices or the presence of applications with a malware payload can represent a security risk that may be fine for certain enterprise apps but not for others.

In a BYOD environment where companies need to manage jail broken devices and rogue applications, they need to consider Mobile Device Management software. MDM is commonly deployed to enforce policies.

An organization might use MDM to enforce device encryption, a strong PIN code, allow for remote wipe in the event of theft or loss. But the full range of MDM functionality also includes inventorization of installed applications.

Using this functionality and up-to-date intelligence sources and application reputation services, application capabilities could be enabled or disabled based on the device risk profile.

Second, enterprises should also consider Mobile Application Management software to improve their mobile app security. First of all, the mobile app sandbox must be intact. Jailbroken devices pose a risk to the mobile app security model, and it is highly recommended to restrict these devices from accessing enterprise data.

But to take this one step further, applications can to be packaged or “wrapped” so that MAM products can manage them. Wrapping an application typically involves taking the original application package and compiling it with management code from the MAM vendor.

Conclusion

Without a shadow of a doubt, mobile app security is a major concern. So, if you have questions about the mobile applications that you are using for your company, or if you are a business and would like to learn more about our MAM and MDM software, do Google it to find a reliable resource that can provide you with a state-of-the-art mobile application security solution.

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today