There are 1.5 million applications in mainstream mobile app stores. Gartner estimates that 46 billion mobile application downloads will occur in 2013 and projects 308 billion downloads in 2016.
In last month's posting, I shared the top 5 risks to our businesses posed by mobile apps that are downloaded from app stores onto devices being used for work. They are: Inherent, blind trust in application stores, functional risks, malware, root applications and inappropriate applications.
People are unaware that the applications that they download could be malicious and provide for more access to company assets than needed.
How do we lessen the risks posed by mobile devices and their apps, along with the direct access that is provided to proprietary corporate data and networks? Here are five clear, actionable ways to mitigate your risks starting now:
Educate & Inform
For the most part, people understand that there are applications for everything, but they don't quite equate these small, smart devices as being computers with huge processing power. Moreover, people are unaware that the applications that they download could be malicious and provide for more access to company assets than needed. These malicious activities take place unbeknown to the unwitting user. User education is paramount and must cover:
- Be mindful of the source of the download (mainstream App Store - or not, it doesn't matter);
- Be cognizant of the permissions that applications are requesting;
- Understand some built-in functionality that may put your business data and network at risk;
- When in doubt, rule it out and do not install the application.
Implement a Strong BYOD/MDM Solution
Bring-your-own-device and mobile device management are widely-used terms when talking about trying to protect the enterprise from the mobile device explosion and inherent risks. When organizations want employees to be able to bring their mobile devices or use company-owned devices, they need to make sure that they can reduce the data footprint of these devices and mitigate risks. One way is to select an MDM vendor to set up internal app stores where users can download only company-approved applications. Another method is to require users to use a VPN to connect to internal resources.
Most mobile operating systems run in a state where their apps have their own "sandbox" and have to request access to shared resources or only have access to their sandbox of data. Sandboxing helps to prevent applications from accessing other applications' data. The action of jailbreaking and rooting devices destroys any sense of a sandbox and allows applications to run as root. This enables the device to silently monitor everything, including application data and traffic. Deploying MDM root or jailbreak detection services, coupled with education, will help to mitigate the risk of jailbroken devices using your organization's apps, data and networks.
Define & Enforce a Data Sensitivity Policy
The biggest risk to mobile security is the disclosure of sensitive data. Organizations should have policies about data's sensitivity, and when and where users are allowed to see and/or manipulate that data. Some organizations do not allow any data with a sensitivity level of "internal" to leave their internal network. This would include transmission through e-mail, USB drives, laptops, etc. Typically, there are multiple levels of data classifications with specific policies for each. These same policies should be applied to mobile devices. Highly sensitive data should never be stored on mobile devices.
Restrict Internal Access
Mobile devices communicate via cellular networks, Wi-Fi networks, Bluetooth, near field communications (NFC), and radio frequency identification (RFID), just to name a few. Many other devices can connect back and forth, providing access to internal resources. For instance, most laptops have the ability to connect to devices and transmit files, or use shared networks, through Bluetooth or USB. Mobile devices can connect directly to our internal Wi-Fi networks, which provide access to internal resources. All methods of mobile device communication should be carefully examined. Internal access should be restricted with a "deny all first" strategy to mitigate the threat of malicious software connecting to and tampering with internal resources.
As our mobile domain continues to evolve, and the dissemination of mobile devices into corporate environments increases, the amount of threats and attacks through mobile applications will continue to surge. The threats will not only be targeted at the mobile device operating systems but also mobile applications, their data, and connectivity. Think carefully about allowing mobile devices to utilize business resources, just as we always have with laptops and desktops.
Dave Lindner is the global practice manager, mobile application security services, for Aspect Security, a consulting firm based in Maryland that focuses on application security services and training for a worldwide clientele. He also serves as an OWASP Top Ten Mobile Project contributor and Mobile Testing Guide sontributor.