How to ensure mobile app security through teamwork, processes and training

Photo by Benjamin Dada on Unsplash

Improving mobile app security is key to keeping your company’s data secure inside and outside the office. Making such improvements requires the work of multiple teams including app developers, IT security and business users.

Here are some tips to improve and optimize your mobile app security:

Send your developers to app security training

Lifewire notes one fundamental investment you should make to improve your organization’s app security is sending your developers to security training that covers secure app development practices. Your development team can then create security strategies and processes as part of your app development lifecycle.

If you rely on citizen developers with low-code tools to develop your mobile apps, you’ll need to deliver security training to them as well. Work with your IT security team to set up mentoring and training around app security. You should also check with your low-code tools vendor to review its security documentation and see whether it offers any security training.

Bake security into your development process

Today, mobile app security starts on the first day of development. Back in the day, QA testers and the security team didn’t worry about testing app security until the final stretch before release. New realities of agile development, DevOps and employees’ desire to have a more consumer-friendly app store experience have changed the way teams develop, test and deploy mobile apps.

According to CSO, it also requires the right skills and tools to develop and secure a mobile minimum viable app, which has the potential to lower the attack surface against your corporate-developed apps.

The following are other ways to bake in mobile app security from the very beginning of a project:

  • Make app security considerations nonfunctional requirements
  • Conduct a threat modeling analysis
  • Write user stories full of enterprise and OS specifics

Use mobile application management and an enterprise app store

Mobile application management (MAM) needs to be in place to secure all the mobile apps across your corporate devices. MAM should also serve corporate-approved apps for bring-your-own-device (BYOD) initiatives.

There should be a curated enterprise app store at the end of your DevOps toolchain to serve up the latest versions of your corporate mobile apps. Today, MAM solutions and enterprise app stores will let you set priority-based rules for app updates across your user community so you can respond to routine updates and, more importantly, critical patches. You also want to set policies to let you erase selected apps from a corporate mobile device.

Protect app data in transit and at rest

There’s a risk whenever your mobile app exposes data in transit across the internet, your network or at rest. Typically, enterprises secure data in transit using encrypted connections such as HTTPS, SSL or FTPS for protection. Data at rest resides in encrypted storage on the mobile device. You should set data encryption on devices through your enterprise mobility management solution.

Lock down your mobile endpoints

Implementing cloud-based mobile endpoint security may not be considered a mobile app security measure, but it does detect malicious behavior in applications. The behavior might come from man-in-the-middle attacks, side-loaded applications or other risky behaviors.

Use SSO for app authentication

Chances are, your corporate mobile apps open up access to all sorts of confidential and proprietary information. As such, you need a single sign-on (SSO) authentication solution to secure employee access to your apps.

Harden your mobile operating systems

Your security team should be conducting periodic reviews of your mobile operating systems as part of your mobile security strategy. The review should include the vendor’s operating system, application programming interface and security documentation.

Medium to large businesses, government agencies and higher-education institutions should consider creating their own checklists for hardening mobile operating systems.

PC Authority reports hardening Android security includes the following tasks:

  • Restricting the side-loading of apps
  • Using encryption
  • Setting granular app permissions
  • Using a virtual private network
  • Installing security software

Your security and app development teams should review any documentation your mobile device vendor has that covers best practices for hardening operating systems.

Developing true app security at your enterprise is possible, but it takes collaboration with many groups across the organization.


This post originally appeared on Mobile Business Insights on October 3, 2017. The site is no longer in publication.


My name is Will Kelly. I’m a technical writer and content strategist based in the Washington, DC area. I’ve written for corporations and technology publications about such topics as cloud computing, DevOps, and enterprise mobility. Follow me on Twitter: @willkelly

Government technology: Mobile transformation for the federal government

Photo by Maria Oswalt on Unsplash

Mobility is becoming the backbone of enterprise technology. Unfortunately, the same can’t be said about mobility in government technology. Yet the federal government could benefit from more efficient management through mobile transformation.

Imagine government agencies with mobile-enabled workers accessing real-time data from devices to better serve taxpayers. A mobile government means a better emergency response due to better access to real-time data. It also means improved continuity of operations during winter storms and power outages, when federal workers would have difficulty getting into their offices.

Mobile transformation at the speed of government

It helps to look at each federal government agency as an independent institution with its own mission. Civilian agencies such as the Securities and Exchange Commission (SEC) and the Internal Revenue Service (IRS) are prime candidates for going mobile because they have large field workforces and regional offices. Since they both have enforcement arms, access to real-time data and applications can help agents make better enforcement decisions in the field.

The Department of Defense (DoD) is home to mobility initiatives inside the Pentagon, according to Federal News Radio. The Defense Information Systems Agency — the DoD’s IT department — has an enterprise app store that serves as a hub for DoD mobile apps. There’s also information about the Defense Mobility Unclassified Capability, which provides commercial-grade mobile devices with secure business tools for the department’s servicepeople and civilian employees.

Service branches such as the US Army are developing mobile training apps for soldiers’ devices. According to Interference Technology, the Navy is using a suite of eSailor apps to train sailors. These apps can reach prospective recruits who grew up as part of the smartphone generation, and they can reinforce what service people have learned in class while they’re deployed.

Government technology acquisition cycles run much longer than commercial procurements, and they can’t keep pace with the evolving mobility market. However, it’s safe to expect procurement changes: Agencies are experimenting with outcome-based procurements from 18F, an organization charged with improving the government experience. After the procurement changes, agile development and DevOps will likely grow, and custom mobile apps will become standard as agencies deliver apps as quickly as consumer developers.

The future of mobile government

The White House’s Cybersecurity Executive Order could help increase the pace of mobile transformation. The order mandates strengthening federal cybersecurity through cloud-based services and infrastructure. The strengthened cybersecurity measures should result in updated security tools, including two-factor authentication and derived credentials.

The Department of Homeland Security (DHS) is a bright spot in the government’s mobile transformation thanks to its mobile security work. According to GCN, the agency has made a significant investment in app security and released an important study about mobile device security. DHS efforts could bolster the case for more government agencies to go mobile.

Another factor in the government going mobile is employee telework. The General Services Administration has approved over 90 percent of its roles for telework, according to GovTechWorks. Unscheduled telework is a frequent message on radio and TV around the Washington, DC, area when it snows, raising even an infrequent need for mobile device access.

While the federal government is currently behind the times, its mobile transformation will continue as the cloud becomes even more of an IT standard across government agencies.


This post originally appeared on Mobile Business Insights on November 14, 2017. The site is no longer in publication.


My name is Will Kelly. I’m a technical writer and content strategist based in the Washington, DC area. I’ve written for corporations and technology publications about such topics as cloud computing, DevOps, and enterprise mobility. Follow me on Twitter: @willkelly