Information Security Forum Releases Report on Securing Mobile Apps
June 2018 by Information Security Forum (ISF)
The Information Security Forum (ISF), the trusted source that senior security professionals and board members turn to for strategic and practical guidance on information security and risk management, today announced the release of Securing Mobile Apps: Embracing Mobile, Balancing Control, the organizations latest digest written for individuals managing mobile apps and related devices. The paper describes the security challenges associated with acquiring, using and operating mobile apps, and suggests immediate actions to manage those challenges, while maintaining the enormous business benefits.
Mobile devices have become the consumer computing platform of choice, originating half of website traffic in 2017 and consumers spent twice as much time on them as desktop/laptop computers. As more currency and valuable information flows through mobile apps, the motivation and capability of malicious entities is increasing, turning security challenges into significant business issues. Hackers are leveraging these challenges to attack organizations through the hacking of mobile apps. Hacking, including tampering, debugging or reverse engineering, may be performed without detection because organizations typically lack the capability to observe attacks against many of the apps in use, particularly those running on unmanaged devices. Failure to address the security challenges associated with apps may result in serious business impacts, such as prolonged outages, exposure of sensitive information or unreliable services. However, these impacts can be managed or prevented by finding the right balance of control, enabling the effective exploitation of mobile apps.
“Mobile devices are always on, continuously network connected, and have an affinity for being lost or stolen – yet typically lack the security protection afforded to IT systems. Consequently, app security is tightly interlinked with mobile devices and the environment in which they operate,” said Steve Durbin, Managing Director, ISF. “Locking down the mobile app environment may tempt individuals to side-step security controls to run their favorite, yet unapproved and insecure apps on unmanaged personal devices. However, both locking down the mobile environment or leaving it wide open can bring the same result: unapproved apps used for business. Securing Mobile Apps: Embracing Mobile, Balancing Control helps organizations find the right balance.”
Mobile devices can come with different levels of security assurance. At one end of the spectrum are company-owned, managed devices that have trusted provenance. At the other end are unmanaged devices of unknown provenance, which may be owned by an employee or external party. Taking advantage of the benefits of apps, without attracting excessive risk, requires balancing business needs between applying a locked down and allowing a wide-open environment. Even approved apps can impact security, particularly if not developed securely, used on unmanaged mobile devices or they rely upon insecure cloud services.
According to the ISF, there are three important lessons to be learned:
1. Knowledge is paramount. Managing apps and their risk requires knowing which apps are processing what data, by whom, from where and for what purpose.
2. Prohibition is seldom an option; pragmatism is key. The vendor’s app stores provide some security assurance about the apps they contain but cannot determine whether an app is suitable for a particular business use. Whether an app is used or not should be based upon risk, user satisfaction and the extent to which it meets business needs.
3. Service is essential. Securing the use of apps in an organization is not just about secure development, the level of IT and security operational support provided should be similar to other types of business applications.
“Mobile apps have affected the lives of many people. They have not only lowered the barrier to using powerful distributed computing services, they have smashed through it,” continued Durbin. “The challenge is to service the business need for apps in a secure manner whilst providing individuals with a similar level of freedom, functionality and ease of use they are accustomed to in their personal life. Fail to get the balance right and unauthorized, high-risk apps will be used nevertheless to handle your sensitive information and support critical business processes.”