With each passing year, the importance of mobile application security is growing tremendously. A major part of this has been triggered by the press and media reporting on numerous hacks that have affected users and consumers across different segments ranging from casual gamers, to online shoppers to major bank frauds leading to millions of card details being leaked online.
If you are a business, you are not likely to escape the enterprise mobility rush, but you can and definitely should avoid certain security mistakes while making sure that you follow certain industry practices to ensure that you've ensured multiple checkpoints within your system.
5 Do's in Mobile Application Security
1. Embrace BYOD, but with a plan
BYOD or Bring Your Own Device allows employees to use personal mobile devices for work. This strategy has been gaining a lot of traction recently, especially by most small businesses. It helps reduce costs, increases productivity and allows employees to work with devices they are already familiar with. BYOD should be embraced, but with a plan and strategy in place. While it sounds great, it's a Pandora's box of security issues. Make sure you have a BYOD policy in place that not only educates your employees about best practices but also makes sure your data sitting on these devices can be protected at all times.
Modern MDM solutions are advanced enough to provide protection in most tricky situations, from the security of mobile applications to cloud transfers and network security.
2. Strong authentication
Before you allow users or your employees to connect and access corporate apps, make sure there is a strong layer of authentication with a clear ID on access, both regarding the user and regarding device. If you have corporate and user data, make sure you secure the server, data, and the application.
While building and testing apps, use sandboxing to isolate application data and code execution from other apps. A sandboxing approach can help execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.
4. Protect data in transit
It is critical to protect data in transit and even the data at rest from snooping and theft. Many businesses either just depend on some encryption or network security technologies and believe or hope that will keep them safe. Honestly, every single channel where the data goes through starting from creation to transfer to usage - everything has to be secured.
5. Internal and external security checks
I cannot stress more on this. Every business should have some internal security practices and checks in place. While doing that, every company should also use multiple external security products and vendors to ensure the best security for their business. It's always a good practice to have multiple suppliers that might do different things or even the same thing, but it helps better your chances to be safe. Today, for every kind of security - be it apps, network, data, etc. - there are vendors at different price points. You can pick what works best according to your budget but use multiple vendors.
5 Don'ts in Mobile Application Security
1. Blindly trust source
Do not believe that all content passed is trusted. We've also seen many apps that validate payments by only checking the existence of an SSL certificate. Make sure you always dive deeper, check the source of the SSL certificate, check it's validity and only then approve it. Likewise, there are numerous instances where it is necessary to double check the source and content and only then trust it. Asking tough questions and not creating blind trust is one of the first things to achieve good mobile application security.
2. Collect data you don't need
Do not unnecessarily collect data you do not need. I understand that in today's date it is extremely exciting to collect as many data as possible. Most occasions I've seen businesses collecting all kinds of data possible without having a plan of what to do with it. While you might believe that this can be a gold mine, you are just attracting more trouble. Make sure you collect data that you need and ensure the best security for it.
3. Ask for permissions you don't use
Many businesses that have mobile apps often ask for permissions they do not need. This again extends from the previous point that if your application is not sufficiently secure the data and permissions you gather can be used by another malicious app sitting on your user or employee's phone. An important practice in mobile application security is to make sure you do not ask for permissions that you are not going to use.
4. Avoid security discussions during product discussions
A big mistake many companies make! Please do not avoid having security reviews when you are brainstorming about your product. Product development and release is necessary, but you should also ask yourself, "is this secure?" I think it is futile to engage in a Product Vs Security war. Both are important, and it is necessary to consider a path that takes both factors into consideration.
5. Do everything yourself
This is a big don't! Do not try doing everything yourself. There are many vendors, products and service providers who can support your businesses very well because of the expertise they've built. If you try doing everything yourself, you will not only lose time and money but in most cases will end you not doing the best possible job. Always understand that your business is there to achieve a particular goal. Get onboard vendors and partners to support you get there.
There is no doubt about the fact that mobile apps have created a world of magical convenience for us. But at the same time, they also unlock the doors of financial, medical, and other personal information to hackers. And if the guardians of such apps, i.e. the developers, don’t assess the security risks appropriately, things might go haywire for the entire business. Understanding all the critical frontiers of mobile application security, on the other hand, might change the picture and nullify all the tactics of the threat actors, however hard they try.
Get to know your threats before they get to know your data!