The mobile app market is growing at a rapid pace. As of March 2017, Android users were able to choose from 2.8 million apps, while the Apple App Store offered 2.2 million apps.
With so many options, it is no surprise businesses are having a difficult time determining which apps are acceptable for business use. Even some of the most helpful apps may increase a company's vulnerability to security risks. As a result, there is a need for security teams to make mobile application assessments a part of their program.
Application assessments help security teams understand what an app does and how it interacts with data on mobile devices. Based on the findings of an assessment, security teams can determine whether an app is suitable for use in their business environment.
Assessing how an app works enables security teams to proactively identify potential risks. In doing so, they are able to prevent the loss of data and unauthorized modification or access to data by banning unacceptable apps. Despite the value associated with application assessments, many security teams don't perform them simply because they lack the skill set to do so. As a result, businesses put their data at risk when allowing mobile app use without oversight.
Determining what is (un)acceptable
There are two recommended methods for conducting application assessments. The first method is the identification of a set of predetermined red-flag behaviors. If an application exhibits any of these behaviors, then it can't be used, and there is no need to go any further with the assessment. Red-flag behaviors include:
- accessing contacts and copying them off device;
- tracking user locations and sending them off device;
- accessing a user's photos or photo stream; and
- sending (or logging) user login credentials in plain text.
The second method is a much more thorough, detailed inspection of each application. Each app is individually assessed to identify everything it does. Based on the findings, an app-by-app decision is made on whether or not it is appropriate for business use.
Application report cards are recommended as a grading mechanism for the findings, as well as to assess whether to allow a particular app to be used in a business environment. Report cards should cover:
- executable deficiencies;
- local data storage and protection, including confidentiality and integrity;
- protection of network communication; and
- interprocess communication.
The red-flag method is a more streamlined way to assess apps, and this method is suitable most of the time. However, if there is an app that has functionality the organization needs, and one of the red-flag behaviors is identified, a full application assessment is recommended to understand the potential risk and whether it can be addressed.
Corporate versus BYOD
When dealing with company-owned or issued devices, it is possible to limit and control what apps a user downloads. iOS phones are much easier to lock down than Android devices. This ability to lock down phones is another way for security teams to manage corporate-owned and managed phones. In BYOD scenarios, things get slightly more difficult.
A common strategy for dealing with BYOD scenarios is the use of Gmail accounts. Employees are asked to set up a Gmail account for all business-related communication. This strategy is highly discouraged for obvious security and control reasons.
A more secure, controlled option in a BYOD scenario is the use of container applications. This strategy enables employees to control their phones as they wish, while isolating business data to a secure container. All business communication is done exclusively through the container application. Because not all container apps are created equal, an application assessment of the container app is highly recommended before mandating a specific app for employees to use.
For businesses that are really serious about mobile security, the SANS "Top 8 Steps for Effective Mobile Security" used in tandem with mobile application security assessments can be a good strategy. The steps are ordered from easiest and most beneficial to most complex to implement, and many can be used regardless of whether a device is enterprise-owned or BYOD.
The "Top 8 Steps for Effective Mobile Security" include:
- enforcing device passcode authentication;
- monitoring mobile device access and use;
- patching mobile devices;
- prohibiting unapproved third-party application stores;
- controlling physical access;
- evaluating application security compliance;
- preparing an incident response plan for lost or stolen mobile devices; and
- implementing management and operational support.
The SANS "Top 8 Steps for Effective Mobile Security" is a community-driven project designed to significantly improve mobile security. It is based on the consensus opinions of respected experts in the field, without motivation to sell you a product.
With new mobile apps introduced daily, businesses can no longer afford to turn a blind eye to application use. Security teams must build their skill sets, starting with learning how to do mobile application assessments themselves.
About the author:
Christopher Crowley is a principal instructor with SANS. He also works as an independent consultant in the Washington D.C. area, focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response and forensic analysis.
Find out what the end of hot patching mobile apps means for enterprise security
Learn what makes a successful mobile app for healthcare
Discover how to develop mobile apps for business