The first wave of mobile apps mainly centered on the retail and consumer markets. In its second wave over the past five years we witnessed enterprise mobility steadily rise. ISMG’s 2016 business transformation study found 99% of the enterprise workforce uses mobile devices — mainly smartphones and tablets — to perform their jobs. The demand for mobile apps is trending up. Gartner estimates the demand will outpace the capacity to develop enterprise mobile apps five to one by the end of 2017.
And now we are in an era when mobile apps are rapidly penetrating into rather slow-to-change industry verticals like manufacturing, oil and gas, home automation and financial services.
Mobile apps in a connected ecosystem
This penetration, dubbed as the third wave of mobile apps, is fueled by the rising ubiquity of internet-connected devices and sensors.
In this fast emerging era of smart cities, smart homes and connected cars, mobile devices like smartphones, tablets and wearables function as the main interface to interact with IoT devices.
Mobile app functions are no longer standalone, but integral to many sensitive, mission-critical functionalities, from personal health and fitness to industrial equipment sensing and predictive maintenance. Even in banking and finance mobile apps are being adopted to offer improved geolocation services across platforms.
Today, whether targeted for retail, enterprise or industrial customer bases, mobile apps have to perform efficiently cross-platform, integrate with third-party APIs, and interact with connected devices and sensors in real-time in order to deliver value to the end user.
To perform all of the above reliably, mobile app security is critical. While user experience and time to market are still important, it is about time mobile app development takes security more seriously.
Securing a connected mobile ecosystem
Ponemon Institute’s 2017 survey on mobile and IoT app security found while 79% of respondents consider a mobile app a threat to existing security posture, only 32% of respondents believe their organizations are urgently trying to secure mobile apps.
It has become increasingly common for hackers to use sensitive information exchanged through mobile apps to launch other forms of attacks.
ISMG’s 2016 Mobile Security study further shows data breaches are most commonly caused by:
- Mobile apps containing malware
- Apps that contain security vulnerabilities
- Unsecured Wi-Fi connections
To prevent data breaches due to malware and inherent vulnerabilities, mobile app security practices must integrate with the entire development lifecycle, from design through testing and deployment.
Even though the effectiveness of penetration testing is proven for mobile apps, Ponemon Institute’s 2017 study found testing of mobile apps being ad hoc if done at all. The study also found mobile app risks exist because end-user convenience is considered more important than security (by 68% of respondents).
As mobile apps assume a central role in today’s connected world, development must prioritize to mitigate the security risks already listed in Open Web Application Security Project guidelines, including:
- Broken cryptography
- Unintended data leakage
- Weak server-side controls
- Client-side injection
- Poor authorization and authentication
The figure below shows these risks in order of predominance.
Mitigating mobile app security risks
In a highly competitive mobile app market, rush to release is often cited as another reason to compromise adequate security testing during the software development cycle. This needs to change.
There are multiple proven ways to mitigate risks during development, such as:
- Penetration testing
- Educating developers on safe coding
- Static and dynamic application security testing
- Security testing throughout the software development lifecycle
In case of enterprise deployments, instead of focusing on just one aspect of mobile security to make that bulletproof, organizations need to take into account the entire spectrum of threat profile and try to mitigate risks.
To secure an end-to-end enterprise environment, mobile app security also depends on overall mobile communication architectures, including carrier connectivity and IT infrastructure.
At the user level some common risk mitigation steps are:
- Avoid default passwords and opt for more complex passwords
- Avoid using the same password across mobile apps
- Use auto-lock features so the app locks fairly quickly when not in use
- Allow app downloads only from reputable app stores
- Regularly update installed apps (as often these updates contain security patches)
- Delete apps which are not in use
Establishing mobile app governance
At an enterprise level, standards and governance measures can provide comprehensive guidance and prevent a fragmented approach to mobile efforts.
Standards practices can be designed in such a way that instead of stifling innovation or slowing down a mobile initiative, they help to capture and evaluate any mobile requests securely — and deliver applications consistently.
Such governance can also help manage app support, maintain expectations, define measures, foster reusability and encourage knowledge sharing across the organization. It can also ensure business units can deploy mobile devices and apps in a consistent, secure and measurable way.
Governance steps like reference architectures, reusable components, access to corporate resources and security standards can all be used to help breed consistency, no matter who is developing and deploying the mobile apps.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.