The increasing adoption of mobile devices and mobile applications is a great opportunity for companies. However, mobile technologies come with challenges regarding their use and implementation. Mobile security expertise is now required for a successful business move to mobile technologies.
Not that long ago, mobile devices were only used for communication purposes and Bring Your Own Device (BYOD) was a term unheard of. Besides voice, the most used business “application” was SMS, when alerts were sent to on-call personnel to ensure the quickest response time in case of emergencies or incidents.
Nowadays, companies are widely encouraging BYOD and online services are also provided on mobile devices through either mobile applications or mobile-friendly websites.
This trend of “going mobile” will continue to increase services like mobile banking, contactless mobile payment or medical patient files will make the technology more and more relevant in our lives. The development of connected objects, aka Internet of Things (IoT), will also have an impact on the development of mobile applications, through which users will have (or already start having) the ability to control sensors and processes .
This quickly evolving mobile world comes with new challenges for companies managing or providing mobile applications. Integration and security of mobile applications are two major challenges for many companies.
Mobile devices integration in a company’s network
Companies supporting BYOD for employees need to ensure that a mobile device which is not controlled by the company does not add new threats once connected to the network. One of the main questions a company has to answer is “what kind of access or services will be allowed for BYOD devices?” Access to internet may be provided only under company’s restrictions (e.g. no access to social media) or devices may have access to intranet, corporate emails or even server files or internal infrastructure. The more unrestricted the access to company assets, the higher the risks to the company.
Companies are also relying on third party applications to allow employees to access emails or calendar information. Deploying these applications introduces security threats. For example, passwords need to be defined according to company policy to avoid malicious access to corporate emails through mobile applications. Applications also have to be configured to allow remote wiping of stored information in case mobile devices are stolen, lost or sold to third parties. Additional processes need to be implemented to ensure that access is deactivated and stored data wiped when the employee leaves the company. Further, it is important to ensure that the stored data is encrypted and that encryption algorithms are in line with company policies.
The following points should be considered when mobile devices are integrated to the network:
- Publish a policy defining the allowed use of mobile devices
- Publish guidelines and implement technical measures to secure access to company assets through BYOD devices
- Review the network architecture by adding dedicated access points to take mobile devices into account
- Put processes in place for remote wiping of stored information on mobile devices and mobile applications
The security of mobile applications
If mobile applications are provided to customers, secure coding best practices for online applications need to be followed for mobile development. Specific additional aspects need to be considered such as inter-application communication, storage of data in the cache of the device itself, certificate management between the application and the device, information leakage through screenshot capabilities, etc.
The device and its operating systems typically come with vulnerabilities and those need to be taken into account in the application architecture. Although more demanding, ensuring that the application acts as a safe encrypted container on the phone prevents unauthorized access to information from malicious third party application or mobile trojans and malwares.