How to ensure mobile app security through teamwork, processes and training

Photo by Benjamin Dada on Unsplash

Improving mobile app security is key to keeping your company’s data secure inside and outside the office. Making such improvements requires the work of multiple teams including app developers, IT security and business users.

Here are some tips to improve and optimize your mobile app security:

Send your developers to app security training

Lifewire notes one fundamental investment you should make to improve your organization’s app security is sending your developers to security training that covers secure app development practices. Your development team can then create security strategies and processes as part of your app development lifecycle.

If you rely on citizen developers with low-code tools to develop your mobile apps, you’ll need to deliver security training to them as well. Work with your IT security team to set up mentoring and training around app security. You should also check with your low-code tools vendor to review its security documentation and see whether it offers any security training.

Bake security into your development process

Today, mobile app security starts on the first day of development. Back in the day, QA testers and the security team didn’t worry about testing app security until the final stretch before release. New realities of agile development, DevOps and employees’ desire to have a more consumer-friendly app store experience have changed the way teams develop, test and deploy mobile apps.

According to CSO, it also requires the right skills and tools to develop and secure a mobile minimum viable app, which has the potential to lower the attack surface against your corporate-developed apps.

The following are other ways to bake in mobile app security from the very beginning of a project:

  • Make app security considerations nonfunctional requirements
  • Conduct a threat modeling analysis
  • Write user stories full of enterprise and OS specifics

Use mobile application management and an enterprise app store

Mobile application management (MAM) needs to be in place to secure all the mobile apps across your corporate devices. MAM should also serve corporate-approved apps for bring-your-own-device (BYOD) initiatives.

There should be a curated enterprise app store at the end of your DevOps toolchain to serve up the latest versions of your corporate mobile apps. Today, MAM solutions and enterprise app stores will let you set priority-based rules for app updates across your user community so you can respond to routine updates and, more importantly, critical patches. You also want to set policies to let you erase selected apps from a corporate mobile device.

Protect app data in transit and at rest

There’s a risk whenever your mobile app exposes data in transit across the internet, your network or at rest. Typically, enterprises secure data in transit using encrypted connections such as HTTPS, SSL or FTPS for protection. Data at rest resides in encrypted storage on the mobile device. You should set data encryption on devices through your enterprise mobility management solution.

Lock down your mobile endpoints

Implementing cloud-based mobile endpoint security may not be considered a mobile app security measure, but it does detect malicious behavior in applications. The behavior might come from man-in-the-middle attacks, side-loaded applications or other risky behaviors.

Use SSO for app authentication

Chances are, your corporate mobile apps open up access to all sorts of confidential and proprietary information. As such, you need a single sign-on (SSO) authentication solution to secure employee access to your apps.

Harden your mobile operating systems

Your security team should be conducting periodic reviews of your mobile operating systems as part of your mobile security strategy. The review should include the vendor’s operating system, application programming interface and security documentation.

Medium to large businesses, government agencies and higher-education institutions should consider creating their own checklists for hardening mobile operating systems.

PC Authority reports hardening Android security includes the following tasks:

  • Restricting the side-loading of apps
  • Using encryption
  • Setting granular app permissions
  • Using a virtual private network
  • Installing security software

Your security and app development teams should review any documentation your mobile device vendor has that covers best practices for hardening operating systems.

Developing true app security at your enterprise is possible, but it takes collaboration with many groups across the organization.


This post originally appeared on Mobile Business Insights on October 3, 2017. The site is no longer in publication.


My name is Will Kelly. I’m a technical writer and content strategist based in the Washington, DC area. I’ve written for corporations and technology publications about such topics as cloud computing, DevOps, and enterprise mobility. Follow me on Twitter: @willkelly

E-FOTA: Keeping Firmware Updates in Sync with Your MDM Solution

As more businesses go mobile-first, enterprise mobile device management (MDM) and enterprise mobility management (EMM) has become mission-critical, ensuring that employee devices are secure and access to business apps is uninterrupted. A pressing challenge for IT leaders is operating system (OS) and firmware version management, as an unplanned firmware update can lead to compatibility issues for enterprise mobile apps and the Android OS.

Source: E-FOTA: Keeping Firmware Updates in Sync with Your MDM Solution

Welcome to the age of sovereign mobile productivity


We may finally be entering the age of sovereign mobile productivity where mobile users can be more productive because of improved security and access to backend systems with minimal IT intervention. A more self-sufficient your mobile worker community means a more successful your mobile-first, Choose Your Own Device (CYOD) or Bring Your Own Device (BYOD) initiative.

Here are some signs we are entering an era of sovereign mobile productivity:

Self-service device provisioning

Self-service mobile device provisioning is a crucial indicator that we are entering the era of sovereign mobile productivity. The more that employees, contractors, and partners can do to provision their mobile devices to access enterprise assets the better. IT can focus on more strategic (read billable) work.

Identity management

The advent of identity management solutions from the Ping Identity, Okta, and others could help promote more user independence for accessing cloud applications.I see identity management playing a role because it’s a lightweight setup for a user on their mobile devices.

Right now my iPhone is running multiple identity management apps because so I can access some client systems. Each of the apps was easy to setup. The average end user could set one up using a one-page job aid to guide them.

Robust mobile app clients for cloud apps

Today’s mobile apps are offering features on parity with their desktop application cousins. There are examples across the board where mobile app clients for customer relationship management (CRM), business intelligence (BI) are packing features on parity with the full application.

Intelligent document discovery

“Where’s such and such document,” is a question that haunts many document writers. The question becomes a wee bit more annoying when some or all of the users are using mobile devices.

Intelligent document discovery is using technology to narrow project documents that a user requires for projects. It’s an expanding area that I first caught wind of when I was writing about Huddle, a cloud collaboration provider, back when I was freelancing for TechRepublic. I expect to see harmon.ie, Colligo and other third-party SharePoint client providers continue to innovate in this area through further iterations of their SharePoint/Office 365 client apps. Microsoft hasn’t spoken for themselves here quite yet either. I’ve come across news that SharePoint 2016 is going to be more mobile friendly so stay tuned.

Mobile project management apps

Another sign of sovereign mobile productivity is the mobilization of project management apps. Project team members can now update their project tasks, scheduling, and related information from their personal or corporate-owned mobile device.

iPad Pro

With its 12.9″ screen size and other hardware specifications, the iPad Pro has the potential to extend mobile productivity or be passed over by it. Personally, I think the fate of the iPad Pro is in the hands of enterprise app vendors right now, not so much in the hands of Apple. The initial reviews of the new device have been mixed, but I’m waiting to see some enterprise success stories around the iPad Pro before I pass final judgment.

Final thoughts

The changing nature of the workforce with more remote teams, teleworking, and contractors elevate the importance of mobile devices in the enterprise.

Is sovereign mobile productivity even achievable?

Will Kelly is a technical writer and analyst based in the Washington, DC area. He has worked with commercial, federal, higher education, and publishing clients to develop technical and thought leadership content. His technology articles have been published by CNET TechRepublic, Government Computer News, Federal Computer Week, Toolbox.com, ZDNet.com and others. Follow Will on Twitter:@willkelly.

Image by Tim Mossholder via Unsplash.com

.

Self-protecting apps and the future of mobile application management


One of the more interesting areas of mobile security right now is the future of mobile application management (MAM). Earlier this year, I had a chance to speak with Andrew Blaich, lead security analyst at Bluebox Research who introduced me to the concept of self-protecting mobile apps.

Blaich explained to me that self-protecting apps are aware of where they’re running. The apps are aware of attacks that can happen on the application, passive or active attacks. Because self-protecting apps are device and environment independent, such apps could be an interesting option for an app you are deploying to partners and customers.

There are tools that malicious actors can use to hook into mobile apps to affect the app’s behavior or to change modification patterns. A self-protecting app can detect and protect against such malicious hooking.

He also gave me the example of a company that’s deployed a mobile app out to its employees. The company still allows its employees to use rooted devices. A self-protecting app can detect if the employees are trying to tamper with the app, trying to access data residing in the app, or trying to reverse engineer the app.

An app policy can either notify the admin or clear the data from the app.

Blaich points to Bring Your Own Device (BYOD) deployments and the fact that there are lots of Android device manufacturers doing their own thing. It’s a mass proliferation of Android devices with only a few vendors following Google’s Android standards. This lack of standards make is especially challenging to secure Android devices in enterprise mobility and BYOD environments.

Jailbroken devices remain a security threat across enterprises of all sizes. People can jailbreak their devices intentionally, or it can be something they aren’t aware of when they buy a device on Craigslist or eBay.

Blaich also pointed out to me that the mass proliferation of Android devices from vendors isn’t about to stop anytime soon.

“They all just do their own thing for the most part,” he said. You can do anything you want with Android, and with iOS for that matter. It’s a fact of life that mobile security professionals have to face and adjust their security strategies accordingly.

He also mentioned that his company examined some Android mobile devices where the true vendor origins of the devices were in doubt. Blaich and his team couldn’t be sure whether a given device was actually from that vendor or not.

Blaich gave the example of a Chinese-manufactured Android device where everything looks like it’s the real device, but the software on the device has been modified in a way where it introduced malware on the system.

“You’re continually going to have this problem where the devices might get modified in line in the distribution channel,” Blaich explained.

Self-protecting apps, MAM, and the future

Change has been the only constant in the mobile threat landscape, and that’s not about to change. The self-protecting app concept that Blaich introduced to me thrives on a changing threat landscape.

While I subscribe to a platform-centric future for mobile security, self-protecting apps complement such platform-based mobile security strategy. I especially like the concept of self-protecting apps for applications that an organization distributes to partners and customers since they’ll never have control over those user devices.

Where do you see the future of mobile application management going?

Image by Thom via Unsplash.com

Will Kelly is a technical writer and analyst based in the Washington, DC area. His writing experience includes writing technology articles for CNET TechRepublic and other sites. Will’s technology interests include collaboration platforms, enterprise mobility, Bring Your Own Device (BYOD), project management applications, and big data. Follow him on Twitter: @willkelly.