Nowadays, people primarily access the Internet while they’re on the go, and mobile data traffic on the Internet is increasing at a fast pace. When businesses take advantage of this mobility and operate outside their premises, though, they need to ensure that they aren’t compromising their security standards.

Laptops, tablets, and smart phones are necessary tools for business productivity, but they impact data security. Mobile devices that access and store confidential information create information access vulnerabilities and compliance violations. So as more and more employees connect their personal mobile devices to the corporate network, businesses need to have a policy in place to govern their use.

The Security Landscape

Mobile users are outside the protective perimeter of the business’ physical facilities as well as its internal network. Hence, those users and their equipment need security appropriate for hostile environments.

The requirements of different users are also different. Some users may only require access to certain Web-based applications. Others use rich mobile applications. In that case, sensitive information might be stored on the user’s device. If the device is lost or stolen, there is a risk of data leakage and exposure. In such cases, the organization must be able to manage the device remotely and possibly initiate remote wipe capabilities.

Mobile security involves four areas: communication security (guarding against network traffic and wireless attacks), device security (guarding against attacks against the client or device, access security (providing and supporting multi-factor authentication), and server security (guarding against attacks against sites on the server).

In the mobile landscape, a complete secure approach protects vulnerabilities at the device, network, and server component levels. Businesses, then, need to have an access control mechanism, policies to block employee devices from accessing the network, and a network access policy. They also should practice securing devices by scheduled forced scans, remote wiping, and software updates.

Multiple Vulnerabilities

Unlike desktops, mobile devices aren’t restricted to the workplace or home, so they can be lost or stolen. Such physical access means devices are under constant threat, making additional controls critical. Businesses regularly face frequent data breaches after the loss of a mobile device that had accessed their network.

Wireless access in the home and office is relatively secure, since attackers cannot get inside and eavesdrop. But wireless access in mobile devices poses a different threat. Today, wherever there are people, there are plenty of mobile devices vulnerable to attack. Similarly, most popular applications are location-aware and pose more vulnerability to attack. As a result, securing that sensitive location information is critical.

When a device is stolen, an attacker can connect to the system and get data from it. Common vulnerabilities are presented in the form of unencrypted credentials and cached sensitive data. Devices also can be compromised via malware. Such attacks can take the form of malicious certificates and reconfigured proxy settings.

Mobile thick-client applications are the local components of an application. The client side can have many security issues such as the insecure storage of credentials, either in the memory, in the file system, or on the device itself. The improper use of configuration files, insecure development libraries, and application programming interfaces (APIs) presents problems as well.

Furthermore, client vulnerabilities can stem from insecure development, platform issues, data stored on file systems, poor certificate management, dropped files on the file system, certificate issues, and data stored on the device. Businesses, then, need to look for client vulnerabilities using application code analysis, memory analysis, and file system analysis.

The network is vulnerable to mobility as well, since attackers can capture and modify mobile network traffic. This vulnerability is deeper in public places where Wi-Fi is used. Credential-stealing attacks are possible when applications don’t properly secure the sensitive data they use, securely manage TLS/SSL certificates, or check for sensitive obfuscated data.

Also, credential-stealing attacks can occur when applications lack encryption and transport protection. They can happen when applications send passwords in cleartext over the network or use cleartext credentials, cleartext data, and backdoor data. And, they can occur when there’s data leakage, the insecure transmission of credentials, improper transmission of application data, and improper reliance on the client for security.

When businesses conduct network analyses of mobile applications, they should monitor network traffic, determine data classification, map data flows, identify the insecure transmission of data across the network, monitor the installation and execution network traffic, identify data classification, and evaluate protocol security.

Finally, the Web infrastructure that hosts the app on the server side poses vulnerabilities too. Mobile applications have a server component that the client interacts with such as HTTP or Web Services formats. The server side can have security issues involving authentication, session management, command injection, business logic, application logic flaws, authentication, session management, local file inclusion (LFI), logic flaws, SQL injection vulnerabilities, and cross-site scripting (XSS) vulnerabilities.

Recommendations

Secure coding standards and security practices for Web and mobile apps are needed. Businesses need to develop a custom assessment program and to conduct a comprehensive assessment of their mobile applications. Primarily, they need to identify the different vulnerabilities, conduct mobile application security tests as a single assessment or a series of assessments, and assess the business mobile applications.

Next, businesses must provide in-depth explanations about the discovered vulnerabilities and paths to remediation, analyze and validate the results, and prioritize the vulnerabilities. Following that, they must fix the security vulnerabilities in the mobile applications and repeat the remediation scans to verify that the identified holes are now closed.

Businesses need to improve their efforts in a number of areas before they can run securely. These areas include mobile security development standards, mobile application security process design, mobile security policies, application-specific threat modeling and analysis, and threat modeling for developers.

Also, businesses should provide a mobile risk dictionary, mobile secure coding training, a mobile secure coding standards wiki, static analysis, a mobile application security assessment (static, dynamic, server, network, client), and a mobile firewall.

Vulnerability Analysis

To protect against the exposure of credentials or data, businesses should conduct a vulnerabilities analysis. They need to know where the credentials are used and what sensitive data is in play. Also, they must track credentials and data through the device, network, and backend—and test those individual components.

A thorough vulnerability analysis of various kinds of application, client, network and server attacks is needed as well. Finally, businesses need to also address PCI, SOX, HIPAA, and any other government or industry regulations regarding mobile application security.

Businesses need to ensure that as they operate outside their premises, they aren’t compromising their security. The environment for mobile devices is hostile with a variety of vulnerabilities at the client, server, and network layers. As more and more employees connect their personal mobile devices to the corporate network, businesses need to have assessment policies in place to govern their use.