Mobile application development poses a thorny problem for the enterprise, especially in terms of software security. A typical app store developer may worry about having code stolen to reverse engineer an application. That's a devastating blow to an individual or small team that has poured time and resources into creating the app. But in the final analysis, the typical app brings in only a few thousand in revenue and represents a small loss if things go wrong. In contrast, the cost to enterprise-class organizations from a non-secure app could run into millions or billions through the loss of sensitive information, theft of intellectual property or a data breach that exposes consumers' personal and financial data. Unfortunately, many enterprises are starting to build mobile apps for the first time -- and they may not realize that making a mistake with such a small application can have big consequences.
Mobile application security is really interesting because you’re not just thinking about code on a device -- you’re changing your system.
CTO, Denim Group
Bigger doesn't mean more secure
Enterprises are used to having a lot of control over their infrastructure. Dan Cornell, CTO of Denim Group, disclosed one common pitfall associated with the false sense of security this setup can engender. "Mobile application security is really interesting because you're not just thinking about code on a device. You're changing your system. With a Web-based system, you've got, 'Here's my code, here's my system, it is on the server side and the bad guys are on the other side of a firewall.'
"With mobile applications," he noted, "you've got to take some of that processing and some of that data and put it on an untrusted device. It could get stolen, it could get rooted, it could get sold on eBay or who knows what. That makes securing mobile applications a lot more complicated."
The devil is in the details when it comes to securing mobile apps. It's at the intersection of services where things tend to fall through the cracks. According to Cornell, "It's not just about the code running on the device, it's also about the code running on the enterprise Web services that support that device code and potentially about code from third-party services that the mobile application calls out to. Where we see the most serious issues is the interaction between those different components."
Data protection is a continuous endeavor
Data leakage overall is potentially a big problem with mobile applications -- and it can happen in a number of ways. That's the opinion of analyst Van Baker, an analyst with Gartner. Data transmission, storage and usage activities all pose risks. "On the one hand, you want to authenticate the users who are coming in because they're not on your network already. They are coming in through a public cellular network, so you have to be able to make sure they are someone you want to give access to your corporate systems. That's the first level of challenge, to be able to do the authentication against an active directory implementation or an LDAP implementation.
"Then," Baker continued, "if you're sending sensitive information to these mobile applications, you want to make sure that data is encrypted in transit. And if that data resides on the mobile device, you want to make sure it is encrypted while it's on the device to protect that intellectual property for the organization."
Keeping data within the purview of the enterprise is also tricky. Employees can't reasonably be expected to supply their own device and only download company-approved apps. This blurring of the lines between personal and business use for devices poses a fresh challenge for developers in securing mobile apps. "People may have work applications on these mobile devices that contain sensitive information, and they're going to have personal applications that are not under the control of the enterprise," according to Baker. "You want to be able to use isolation techniques like containerization and policies built into the mobile applications that prevent actions like copy/paste or forwarding outside the domain." Those are some of the challenges mobile app developers face that they don't have to deal with on the desktop.
Should developers learn from past mistakes?
Cornell put things bluntly -- developers and businesses should probably have seen some of these security issues coming. "What we've seen is mobile systems, especially from a security standpoint, have given development teams an opportunity to remake a lot of mistakes that teams have been making for a long time," he said. "We originally saw this with Web applications. There were administrative functions that you had to log into that often weren't protected (such as an admin directory that no one bothered to require a password to access)."
Over time, developers got wise to this problem. But security became an issue again with the rise of the AJAX application when services weren't doing authentication or authorization checks -- and organizations had to learn the hard way again. History is repeating itself once more. "With mobile applications, the services supporting the application have never seen any adversarial traffic before," Cornell said. "They've only seen requests that came in from approved mobile clients. When you start to flood those services, they fall apart pretty quickly. Or, if you start to increment identifier numbers going to those services, you find out that they don't have a concept of authentication or authorization. It's the same mistakes that development teams have made before, just in a new context."
But Cornell admitted that enterprise development teams face a steep learning curve. "They are learning to do mobile development and security for mobile development right at the same time." Hopefully, they will be able to plug some of these holes by looking to the past rather than by experiencing crises in the future. When it comes to mobile app security, enterprises are learning that they can't afford to get it wrong.
How mobility changes the face of IT security
Next generation security in a mobile era