Are your APPs Secure?
By Andrew Hoog
Use of mobile devices in the energy industry is on the rise. General Electric recently distributed 2,000 iPads internally and has developed a series of applications for its employees and customers. Noveda Technologies, a supplier of web-based, real-time energy and water monitoring, launched an energy and water saving iPad app, for managing renewable energy production, energy consumption and water usage in real-time.
Ease of use, portability and depth of features are part of what makes mobile devices attractive. But when implementing smartphones and tablets across an enterprise, organizations must recognize that for all the freedom and productivity gains a BYOD workplace may bring, it also presents unique security challenges. Ignoring these risks could result in loss of data, loss of client trust, and ultimately loss of revenues.
As CEO and co-founder of viaForensics, I can attest to the seriousness of these threats for the oil and fuel industry. Having worked with many IT professionals, I have seen them struggle to put effective security measures in place. One problem is that many of them are focused on yesterday’s threat–malware.
Malware gets the most attention partly because it’s the enemy the security community understands best as they’ve been battling it since the rise of the PC. But while traditional computer anti-virus programs run checks against an extensive list of known security threats, mobile malware programs increasingly use code not found in established anti-virus databases. In 2013, researchers at Northwestern University concluded that the leading mobile anti-virus programs were “susceptible to common evasion techniques” that rendered them ineffective. The Google Cloud platform compliance is what one requires to make sure their system is secure from threats.
While the evolution of more robust mobile anti-malware programs would be a welcome development, it would still do nothing to mitigate the greater security threat to your workplace–unsecured or ‘leaky’ apps. These are outwardly benign applications with security flaws that can put your company data and that of your employees and clients at risk.
Leaky Apps
Last year we examined 100 popular apps, testing them for man-in-the-middle and SSL attack vulnerabilities, whether they stored passwords and other sensitive data in their memory, and other common security concerns. Our study found that fully 60% of apps received a “High” risk rating in one or more areas. These apps were offered in Apple’s App Store and Google Play and crossed a wide variety categories (iphone money games, financial apps, productivity, business, utilities, etc.) None of them were apps anyone would normally perceive as ‘risky’- usually, when presented with our findings, even their creators were unaware of their apps’ vulnerabilities.
How can so many apps contain serious security issues? For one, apps are booming business with few regulatory or protective oversights. In such an environment, speed-to-market often trumps secure design. You average consumer is largely unaware what their phone is really doing or what private data a given app might have access to and potentially expose. And without a watchdog organization to help make app buyers more aware about security, app developers lack incentive to ensure their products are safe before release. The big players in the mobile ecosystem are a long way from solving the problem, or even beginning to seriously address it.
Leaky apps can be a gateway to stealing confidential customer data, your company’s financial information, and other sensitive materials. In traditional workplace networks, you can easily prevent employees from installing software without permission. But in a BYOD environment, you often have little control over what apps employees install on their personal devices. It’s paramount to remember that whatever your employees can access from their devices is also potentially accessible by attackers.
Secure Your Apps
All apps should undergo strict security testing, however apps that are white or blacklisted on your company policy should have been even more rigorously tested by your IT team before being allowed on your network. I recommend a few approaches. Extract data to see how sensitive information is stored. Examine an app’s authentication methods and permissions, and capture and analyze network traffic to detect encryption problems. Execute multiple attacks, such as man-in-the-middle, SSL Proxy and others to test app vulnerabilities. We’ve developed viaLab to automate this type of security testing, but however you choose to go about it, rigorous app testing is a must if you’re serious about mobile security in your workplace.
Turn BYOD into BYOS
The kinds of heavy-handed, one-sided security measures that worked in traditional computing will not work for mobile. Because of the immense amount of private information we store on our phones (let’s face it, our phones usually know us better than our spouses), employees are highly resistant to the kind ‘Big Brother’ scale management and monitoring that would be needed to truly control how your employees use their devices at work.
The good news is that there are steps you can take to protect your business by proactively assuming a defensive posture. This means building security from the ground up by turning your employees from potential security risks to your first line of defense–educating them on how to transform a bring-your-own-device environment into a bring-your-own-security workplace.
You employees need to know what their apps are really doing. How are they storing information? What organizations are they communicating with? Is the data being they send being encrypted? They must also learn to follow basic mobile security procedures, such as implementing passcodes, and being wary of using unsecured wi-fi hotspots.
Similarly, you need visibility. Do you know if your employee just uploaded a bunch of data to Dropbox? Do you know which apps are sending your data in cleartext to servers in other countries? Do you know which of your employees are running out of date operating systems, vulnerable or outdated apps that are susceptible to the latest exploits? You should, and your employees should know these things as well.
Smarter Risk Mitigation
Mobile devices using the right apps can be a productivity booster for your enterprise, and maintaining a workplace where your employees feel comfortable using their personal devices is part of doing business in the 21st century. But you need to be aware of the security risks involved, and make sure you and your employees are taking the right steps to address them. What worked in traditional networked computer environments of the past won’t work for mobile – BYOD requires smarter risk mitigation.
Andrew Hoog is the CEO of NowSecure, which provides mobile security solutions, debunks common security assumptions and creates smarter technology to ensure private information remains private and not exposed to unnecessary risks.