Security Experts:

Rethinking Mobile Security - Why Apps Come First

Enterprise mobility management (EMM) has a place in today’s mobile environment, however, it is only the starting point when thinking about mobile security.

Mobile security technologies must provide security and trust regardless of the user, enable application-level visibility and control, and protect from vulnerabilities in the current mobile landscape—capabilities EMMs can’t deliver on their own. Why?

EMM, with mobile device management (MDM) at its core, emerged as IT tried to keep up with the flood of mobile devices entering the workplace. Devices required configuration to help organizations manage them and allow the provisioning of company-sanctioned mobile apps. But despite the prevalence of EMM solutions in the enterprise, it’s predominantly used as a management platform that relies heavily on managing devices and users. Today’s mobile world requires a different focus – one that emphasizes BYOD, apps, increased usability, and unique associated security challenges. We simply can't get visibility low enough in the operating system to see what is going on, and thus can never fully trust the device. We must layer on protections that we control regardless of the state of the device or the app. 

Protecting Mobile AppsWith the breakneck pace of mobile, four large forces around BYOD and mobile apps have emerged that are reshaping how we think about mobility and mobile security requirements. Like the iPhone, the catalyst of the BYOD movement, they are igniting the next level of change—highlighting the need for a true mobile security solution, which EMMs, born in a different mobile era, are not purpose-built to provide.

BYOD—Not Just for Employees Anymore

About a decade ago, mobility meant buying, setting up and issuing BlackBerrys to employees on an as-needed basis. Fast forward to today, and it’s the bring your own device (BYOD) movement, coupled with an app explosion in the enterprise—a market estimated to grow to $89.6 billion by 2019 in North America alone. Mobile-first companies are expanding beyond just enabling BYOD employees, increasingly engaging with partners and customers via mobile apps on devices. This means we no longer have control over the device, making traditional IT and MDM approaches to mobile security obsolete.

Because the rise of mobile apps is unstoppable, we need to move away from securing devices, and shift focus to securing apps, regardless of the device, without impeding the user experience. To do this, we must adopt a model where trust is proven rather than assumed. We must use a zero trust model for mobile and weave in the security we need to ensure users are safe despite the growth of apps and mobility.

Anybody can be an App Developer

With the growing focus on mobile, enterprise CIOs are under pressure to accommodate end-user demands—provisioning secure apps to lines of business and partners, and ensuring fast time to market for customer facing apps. As a result, a host of mobile application development platforms (MADP) and rapid mobile application development (RMAD) tools that facilitate app creation have emerged—there are now nearly 90 choices—that make it easier for the technical and non-technical alike to create apps. Now that anyone can create a mobile app, this has led to inconsistency in the security knowledge of a mobile app “developer”.

This variability in security knowledge, use of outsourced development houses, coupled with time to market pressures that favor usability over security features, results in less secure apps. In fact, the Ponemon Institute found that only 41 percent of respondents reported that their organization had sufficient mobile security expertise and most (55 percent) say they don’t test apps or are unsure if they do. And according to Gartner, 75 percent of mobile applications will fail basic security tests through 2015.

To address this problem, we will have to adopt security solutions that work at the app level and provide a consistent security framework across all mobile apps. Such solutions will do more than protect the device, but also guarantee that improperly developed apps don’t become an attacker's front door.  Only then will CISOs and CIOs have confidence in the integrity of mobile apps.

The App Explosion

We’ve quickly moved from just a handful of critical business apps like email, calendar and browser to hundreds of thousands of productivity apps—and their potential inherent vulnerabilities present a bigger attack surface back into sensitive enterprise data. Sensitive information is constantly being exposed as employees become their own IT departments, loading unsecured apps onto their devices and keeping the real IT department up at night. A recent survey by LogMeIn found that 70 percent of enterprises have some presence of “bring your own application” (BYOA), and the same study found that 64 percent of respondents will download their own solution even when one is already in place.

In essence, we require a more granular view of all mobile touch points, but can’t get that from EMMs. This is the case even for apps downloaded from Apple or Google, as proven by the Hacking Team offering of custom apps to infect devices with spyware on both the App Store and Google Play. They were also able to masquerade malware as a defunct news site app to lure targets. How do we gain that visibility? Companies need to go beyond EMM and find a way to deliver secure productivity across all their mobile "customers", regardless of device, that is measured in minutes; not hours, days, weeks or months.

Mobile App Vulnerabilities Emerging

Knowing mobile apps are inherently vulnerable, hackers are being given the opportunity to launch sophisticated campaigns. Attackers love targets that are always connected, but hard to monitor, detect and alert on—making mobile the perfect avenue for attack. This is evident as we see the trend of both researchers and hackers looking for and uncovering significant vulnerabilities below the device level. One example of this is Stagefright, which has been called the “Heartbleed of Mobile.” 

There is also the constant stream of updates and the use of generalized app frameworks to consider. Time-to-market pressures are paramount for mobile app developers, so they often use outsourced frameworks during development or continue updating their apps. It provides speed in the development process, but it also means that developers could easily be introducing security risks unknowingly—especially when third-party components are involved. If OpenSSL, a widely trusted encryption library for the Web has its faults, imagine what newer mobile programming libraries could harbor.

Ultimately, the pace at which mobile is evolving in the enterprise is completely unique, changing how businesses have to think about security. Companies need to establish trust and security in a world where they have less and less control—over devices, over apps and their users. The only way to do this effectively moving forward is to truly understand how people work and interact on mobile while knowing that threats are present. We know that attackers follow users and the popularity of mobile apps in conjunction with the emergence of their security flaws means that mobile is prime to be the next attack vector that threatens corporate data and user privacy.

Applying a zero trust model to mobile and the right security controls at the app level could align productivity and security. But the bottom line is that it’s no longer about the device; it’s about the applications.

view counter
Adam Ely is the Founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led security and compliance at TiVo and held various security leadership roles within The Walt Disney Company where he was responsible for security operations and application security of Walt Disney web properties. Adam is a CISSP, CISA, NSA IAM, MCSE and holds an MBA from Florida State University.