Security challenges of mobile devices and applications

in Advisory, 16.03.2016

The increasing adoption of mobile devices and mobile applications is a great opportunity for companies. However, mobile technologies come with challenges regarding their use and implementation. Mobile security expertise is now required for a successful business move to mobile technologies.

Going mobile

Not that long ago, mobile devices were only used for communication purposes and Bring Your Own Device (BYOD) was a term unheard of. Besides voice, the most used business “application” was SMS, when alerts were sent to on-call personnel to ensure the quickest response time in case of emergencies or incidents.

Nowadays, companies are widely encouraging BYOD and online services are also provided on mobile devices through either mobile applications or mobile-friendly websites.

This trend of “going mobile” will continue to increase services like mobile banking, contactless mobile payment or medical patient files will make the technology more and more relevant in our lives. The development of connected objects, aka Internet of Things (IoT), will also have an impact on the development of mobile applications, through which users will have (or already start having) the ability to control sensors and processes .

This quickly evolving mobile world comes with new challenges for companies managing or providing mobile applications. Integration and security of mobile applications are two major challenges for many companies.

Mobile devices integration in a company’s network

Companies supporting BYOD for employees need to ensure that a mobile device which is not controlled by the company does not add new threats once connected to the network. One of the main questions a company has to answer is “what kind of access or services will be allowed for BYOD devices?” Access to internet may be provided only under company’s restrictions (e.g. no access to social media) or devices may have access to intranet, corporate emails or even server files or internal infrastructure. The more unrestricted the access to company assets, the higher the risks to the company.

Companies are also relying on third party applications to allow employees to access emails or calendar information. Deploying these applications introduces security threats. For example, passwords need to be defined according to company policy to avoid malicious access to corporate emails through mobile applications. Applications also have to be configured to allow remote wiping of stored information in case mobile devices are stolen, lost or sold to third parties. Additional processes need to be implemented to ensure that access is deactivated and stored data wiped when the employee leaves the company. Further, it is important to ensure that the stored data is encrypted and that encryption algorithms are in line with company policies.

The following points should be considered when mobile devices are integrated to the network:

  • Publish a policy defining the allowed use of mobile devices
  • Publish guidelines and implement technical measures to secure access to company assets through BYOD devices
  • Review the network architecture by adding dedicated access points to take mobile devices into account
  • Put processes in place for remote wiping of stored information on mobile devices and mobile applications

The security of mobile applications

If mobile applications are provided to customers, secure coding best practices for online applications need to be followed for mobile development. Specific additional aspects need to be considered such as inter-application communication, storage of data in the cache of the device itself, certificate management between the application and the device, information leakage through screenshot capabilities, etc.

mobile security

(click graphic to enlarge)

The device and its operating systems typically come with vulnerabilities and those need to be taken into account in the application architecture. Although more demanding, ensuring that the application acts as a safe encrypted container on the phone prevents unauthorized access to information from malicious third party application or mobile trojans and malwares.

Increasing need for mobile security expertise

Mobile applications and mobile devices are great business enablers and business opportunities. They however come with new risks and new challenges. Facing these challenges will require more and more expertise to ensure that a well architected cyber defense strategy is deployed for secure connectivity of BYOD devices and to ensure that mobile applications are secure by design. Taking the specific challenges of mobile devices into account from the beginning of the application and device deployment lifecycle, as well as ensuring that mobile devices are regularly assessed and tested for security vulnerabilities are key steps for a successful business investment in a fast growing mobile environment.

 

 

Further information:

 


3 Comments

  1. Marlene Dobretsberger

    Hi Sylvain! Really interesting article to read. I also like the idea of connecting security challenges of mobile devices with medical patient files. Would be interested to get some more information about this topic. Kind regards

    • Sylvain Luiset

      Hello Marlene! Thank you for your comment.
      Medical electronic patient record (EPR) system being electronically managed, there are different projects to ensure the security and confidentiality of the EP- records. Important aspects in this case is that only authorized staff (e.g. doctors, medical assistant, administrator) can access these sensitive data and that the integrity of the data is ensured other time. As said in the article, there is a trend of providing conventional web based services through mobile applications and I would not be surprised to see it apply to electronic medical file as well in a near future. The ordinance of EPDG defined the security setting of requirements which will be focused on the technical systems and database of the EPR system. This means that these key security aspects have to be ensured as well on the mobile world, covering the challenges introduced in the article.

      Best,
      Sylvain

  2. MobiLock BYOD Management

    A very nice and interesting post! Mobile devices have become an integral and essential factor for every business right from small to large scale. Enterprises are increasingly adopting mobility to meet everyday business goals easily, stay connected, work 360 degrees and increase productivity. However, enterprise mobility requires efficient management and cloud-based Mobile Device Management Solution is one of the important ways to powerfully manage and secure BYOD devices and mitigate all risks associated with mobile device integration to businesses.

Leave a Reply

Your email address will not be published.