One of the most important facets of protecting the data stored on and accessed by mobile devices is paying close attention to the security of each mobile device’s apps. That means safeguarding such things as the data’s confidentiality, integrity and availability.
Mobile devices are no different than any other network node when it comes to security: The traditional triad of confidentiality, integrity and availability must be maintained. For mobile devices, one of the key ways to accomplish this is keeping one’s eye on better mobile app security. Mobile devices have become extremely popular largely because there are millions of apps available for them, and many of these apps are low cost or free. Users have become accustomed to downloading and installing apps from unknown third parties onto their personal mobile devices without a thought as to the security implications. Many of these users expect to have the same autonomy to choose their apps on their employer-issued mobile devices.
This puts organizations in a difficult situation: How can they balance the need to secure the organization’s data with the need to provide users with tools they are comfortable with for doing their jobs. Organizations have to put restrictions in place, or users will frequently download and install malicious apps that can gain unauthorized access to whatever sensitive data the users can access. However, if the restrictions are too stringent, then users won’t be able to access the latest legitimate apps. In the mobile-device world, progress occurs quickly, so this could potentially put an organization at a competitive disadvantage.
Policy first, controls second...
A great starting point for any organization to improve its mobile device data security is to create a mobile-app security policy. This policy should define the organization’s philosophy—such as favoring functionality over security, or favoring security over functionality—and explain and justify the rationale behind the chosen philosophy. The policy should clearly explain what types of activities are permitted or prohibited in terms that users can understand. Not only is a mobile-app policy the foundation for all other security controls the organization puts into place, but it also helps the users to understand what is expected of them and why better mobile app security matters.
After creating a policy, the organization should implement the appropriate security controls to enforce the policy. One of the most beneficial controls that can be adopted is mobile-app reputation services. These services, which numerous vendors provide, are essentially threat-intelligence feeds specific to mobile apps. The vendors acquire mobile apps and evaluate them using a variety of techniques to determine if the app has malicious intent; this can range from minor violations of the user’s privacy (e.g., accessing contact information without permission) to major security violations (such as transferring the organization’s data to external servers).
...then apply mobile tools
Most organizations take advantage of mobile-app reputation services by feeding them into mobile device management (MDM) or mobile app management (MAM) technologies. These technologies are highly recommended for any organization wanting to better secure its mobile devices because they give the organization a great deal of control over the mobile device. For example, MDM can enforce storage encryption on mobile devices, and both MDM and MAM can enforce restrictions on which apps may be installed on mobile devices and what each app is permitted to do, such as accessing another app’s data.
By utilizing mobile-app reputation services within an MDM or MAM deployment, the organization can enable automatic, up-to-date decision-making regarding the benign or malicious nature of each app. This not only prevents malicious apps from being installed but it can even remove apps discovered to be malicious post-installation. This allows users to acquire nearly any app that they want to, while tightly restricting what activities each app can perform to better safeguard the organization’s data.
Having better data security in the mobile age—that is, ensuring data confidentiality, integrity and availability—requires better mobile app security on every mobile device. Accomplishing this requires taking three key steps, beginning with the use of a reputation service to help flush out into the open those apps that are likely malicious. Then, after establishing a mobile device security policy that users will support, you can employ available MAM and MDM tools to bolster enforcement of that policy.
About the author
Karen Scarfone is the principal consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for federal civilian agencies and the public.
Learn more about fending off malicious apps
How to improve mobile app security in the BYOD era
Educate employees about security breaches when downloading mobile apps
Use the right tools for mobile app security testing