As mobile devices enter the work place, there is no denying their
potential for improving and streamlining work processes. Companies are
utilising enterprise apps that are unique to their businesses, and employees
are taking full advantage of the benefits that accompany mobile business.
However, with the conveniences of mobility comes the mounting threat of mobile
security threats. The more that employees and contractors use mobile devices to
access organizational systems, applications and data, the more important it is
to protect such access.
Mobile Devices at Workplace
Traditionally, Organizations used to distribute Blackberry devices to
their employees and setup the restrictions at Blackberry Enterprise Servers
(BES).
Gone are those days; now Organizations are distributing high end
SmartPhones to their Executives. Quite a good number of lower level Executives
and Employees/Contractors bring their personal SmartPhones, which are connected
to the Corporate Network.
These phones/tablets have different Operating Systems, like Android,
iOS, Windows 7 or 8 etc. and have sufficient enough computation and
capabilities to hack or cause nuisance.
Types of Applications
There can be multiple classifications of mobile applications-
- Native v/s WAP v/s Hybrid apps.
- Apps developed for inhouse employees v/s Apps developed for consumers.
- Free v/s Commercial apps.
Threats to Enterprises
Data
is the critical asset of Enterprises. Below threats pose risks related to data
compromise via mobile devices-
- Lost devices.
- Temporarily unattended devices.
- Malwares/Rouge Applications in devices.
- Devices under control of remote attackers via internet, Bluetooth, NFC etc.
- Jailbroken or Rooted devices.
- Leaked Domain Credentials for WPA2-PEAP WiFi.
- Lacking accountability or traceability for mobiles in enterprises.
- Missing/Mis-configured encryption for data at rest and transit.
Mobile Application Development Security
Most
vulnerability in the mobile applications, result from bad programming and can
be avoided by following few quick tips, by all developers irrespective of their
development platform:
- Do not hardcode secrets like passwords, encryption key in the client side source code.
- Do not store passwords or other sensitive data in the phone.
- Use SSL for sensitive data transfer.
- Use appropriately strong encryption for data at rest.
- Authenticate users, sanitize inputs and manage sessions appropriately.
- Do not print/store sensitive data in console, logs or cache.
- Check security of 3rd party libraries in use.
- Secure the backend components (web servers, web services and hosting).
Mobile Device Security
Here
are the few tips for end users to keep the mobiles/tablets secured:
- Set a password lock (numeric or graphical).
- Set Device auto-lock.
- Install a good anti-virus.
- Keep the device firmware updated.
- Pair only to trusted Bluetooth devices or NFC peers.
- Always download applications from trusted App Stores.
- Visit HTTPS secured and reputed websites only.
- Do not jailbreak or root your device.
- Connect to secure/trusted WiFi networks.
Additionally,
few tips for enterprises to safeguard their employee mobiles and data:
- Use Disk Encryption for mobile devices.
- Employ Disk Encryption for SD cards too, if users store corporate date there.
- Secure WiFi with strong WPA2 PEAP (Domain based) or Certificate based authentication.
- Employ remote data wipe.
- Use mobile device data backup solutions.
- Maintain an inventory of user devices allowed to connect to corporate network.
- Maintain an inventory of allowed mobile applications for work.
- Have a fair usage policy and systems to control usage.
- Enterprises having their private AppStores, must take care of distributing secure applications only.
BYOD as an opportunity for Enterprises
BYOD
concept allows employees to use their devices at work and BYOD Solutions allows
enterprises to control the Employee device security by building restrictions,
controls and policies around it. Different BYOD Solutions offer variety of security
features. Some useful ones are-
- AppStore owned by Employers, for providing work related apps to employees.
- Unified security policies enforcement across organization.
- Access control and auditing.
- Selective data wipe for corporate data.
- Certificate Authority and Certificate based security.
- Secure file sharing.
- Device Registration mechanism.
Conclusion
A lot a
have been spoken and written over time on mobile security. OWASP runs a mobile
security project, NIST has released Mobile Device Security Guidelines for Enterprises,
hacking and security companies have release free and paid tools for mobile app
security assessments, apart from the commercial MDM solutions. Adaptation of
all of these approaches in tandem is necessary to implement security by “defence
in depth” approach.
Three
final tips to Enterprise Mobile Security. Firstly, harden the mobile devices;
encourage users for the same, go for forceful implementation if required.
Secondly, ensure that mobile applications are secure via SAST and DAST
approaches. Finally, implement a suitable BYOD solution and setup security
policies for end users.
Really such an impressive and informative post about testing of windows mobile application security.
ReplyDeletesource code review tools
simplest guidelines for mobile security
ReplyDeletecheapest parking gatwick
gatwick chauffeur parking
Thanks for sharing us. how to activate sim card online
ReplyDeleteThanks for sharing this Blog It is very informative and I am learning a lot from this ,so keep sharing this kind of blog about Mobile application security
ReplyDeleteA grasping brilliantly composed blog. Really a present for its gathering of people.
ReplyDeletepaypal hack
I like your post there is a lot of information about software testing, which i would like to learn, thank you for the great guide. Very useful post and I think it is rather easy to see from the other comments as well that this post is well written and useful. I bookmarked this blog a while ago because of the useful content and I am never being disappointed. Keep up the good work.. Read more about QA Services
ReplyDeleteThanks for Sharing Information to us. If Someone wants to know about QA and software testing this is the Right place for you...
ReplyDeleteSoftware Testing Services
Software Testing Services in India
Software Testing Companies in India
Software Testing Services in USA
Software Testing Companies in USA
Software Testing Companies
Software Testing Services Company
Software Testing Companies in New York
This comment has been removed by the author.
ReplyDeleteIt's high time that we all consider mobile security measures extremely important. Thanks for the information.
ReplyDeleteBellwether
ISO 27001 Consulting Company