It won’t take an independent study or market research to convince most IT directors that mobile devices are now critical business assets. The “mobile workforce” long ago became the de facto workforce.
For years, it seemed that the core issues affecting mobile security were device theft and company laptops being infected by malware on home networks and then being reconnected to a company’s secured network, effectively circumventing network firewalls. Fortunately, this problem has been effectively mitigated over time by IT administrators through the implementation of centrally administered anti-malware/spyware/everything-bad-ware packages and network security solutions that prevented unverified devices from accessing protected company resources. However, employee owned devices such as smartphones and tablets have quickly turned into vital company resources as well and they now harbor much of the same sensitive data as a company laptop. This trend should cause every organization to take the time to re-evaluate the security of their mobile workforce and ensure that their private resources stay private.
Security of any kind is typically achieved through a layered approach, and mobile device security is no different. Part 1 of this blog post will cover backend security and transport security, which are components that are common to almost every system. Part 2 will cover the aspects that have more specific nuances in the mobile world: device security and mobile app security.
The network-integrated security approach worked extremely well for company issued laptops, which, though still mobile, are centrally administered and of a fairly uniform configuration. The trend of workers using their personal smartphones and tablets for work purposes (a practice referred to as BYOD or bring your own device) has sharply increased over the past two years, however, and is predicted to double over the next two. This poses some new and challenging headaches for both IT administrators and developers of enterprise applications (apps).
The demand for mobile apps that allow workers to perform many of the same administrative tasks as their desktop or web based counterparts is forcing developers to churn out mobile apps at a grueling pace to catch up (often having to build the same app multiple times to target each platform). This often means that security becomes an afterthought since it requires time and testing to do correctly and in a way that doesn’t frustrate the user. This can also result in developers taking shortcuts and not implementing the same level of security in mobile apps or improperly implementing security controls due to lack of familiarity with the best practices for a given mobile platform (as indeed there are many, most of which are platform specific).
Additionally, whereas laptops had easily enforceable password complexity requirements, most smartphones can be unlocked with a 4-digit PIN or simple hand gesture unless they are synced to an MDM or other server that is enforcing password complexity requirements. If the 4 digit PIN isn’t coupled with functionality to wipe the phone after a certain number of bad password attempts, logon security is almost nullified. This means that smartphone and tablet app developers must be extremely mindful of the sensitivity of data being provided to their apps and must potentially take additional measures above and beyond what would be taken in a traditional desktop or web app to protect this data. This also means that any full device encryption must be treated with scrutiny as it is effectively rendered moot by an easily unlocked phone.
The results of a recent survey by Ponemon help to illustrate why it increasingly important for mobile developers to be mindful of security concerns when building mobile applications:
1. 59 percent of surveyed companies had suffered a data breach as a result of mobile devices being used for work purposes
2. Of those companies, only 55 percent of companies had implemented an acceptable use policy for mobile devices
3. Of those companies with active acceptable use policies, only 45 percent actively enforced them.
So, even though well over half of the companies surveyed had suffered some kind of data breach as a result of mobile devices, less than 15 percent had actively enforced acceptable usage policies. It’s not hard to see why though: centralizing mobile device management usually requires expensive software, and employees typically don’t want their employer managing what they consider to be their own personal devices. Fortunately, the same defense-in-depth security principles that apply to desktop and web applications can also be applied to the mobile world. This means security must be implemented in layers: at the backend, while the data is in transit, at the device layer, and especially in the case of mobile devices, at the client application layer.
Backend (server) and transport layer security are essentially unaffected by mobile applications as long as they have already been implemented properly. Communication with applications on mobile devices should be assumed to be happening over an untrusted network, so sensitive information should always be encrypted (typically using SSL or some form of VPN connection).
On the current generation of smartphones and tablets, SSL/TLS (and any other AES based encryption) is cheap, fast, and widely supported, and if any kind of information that you wouldn’t want to be public to the world is passing between your servers and your client applications, it should be used ubiquitously.