Many of us have heard of the 80/20 rule, also known as the ‘Pareto Principle.’ Applied to mobile application security, the idea is that guarding against threats with the greatest potential impact can mitigate 80% of your risk and provide the biggest bang for the buck.
A defense-in-depth strategy can best protect your organization from security, privacy and compliance threats stemming from mobile app vulnerabilities. Once the essential layers of security are in place, some people tack on specialized solutions that address narrow edge cases. Just know that such additional initiatives usually have diminishing returns. What’s worse, enterprises distracted by the latest mobile security buzzword or hype may end up overlooking the basic blocking and tackling that can eliminate the majority of their mobile risk.
With that in mind, we recommend focusing the bulk of your mobile security efforts on three proactive measures that get your organization ahead of risks rather than left scrambling to respond to an incident or alert. They include choosing the right enterprise mobile devices and operating systems to support; deploying mobile device management; and testing and vetting every mobile app and updates before users install them.
1. Choose a more secure mobile device and OS.
When you evaluate devices to support such as in a corporate-owned, personally-enabled (COPE) or choose-your-own-device (CYOD) mobility program, first and foremost choose a manufacturer and mobile operating system that pushes out security updates as soon as they’re released. That means either an Apple iPhone with iOS or a Google Pixel running Android. This decision sets the stage for almost everything else you do.
Security managers whose agencies support bring-your-own-device (BYOD) mobility won’t have a say in the device, but can still gain solid protection by taking the next two steps.
2. Configure the device with mobile device management (MDM).
Sometimes known as enterprise mobility management (EMM) tools of which they’re a part, MDM tools manage employee mobile devices and set and enforce policy. A few leading solutions include BlackBerry/Good, Citrix XenMobile, IBM MaaS360, Microsoft Intune, MobileIron, and VMWare Airwatch, among others.
Although functionalities may differ from vendor to vendor, important MDM capabilities include configuring devices to adhere to corporate policy, quarantining compromised or non-compliant devices, enforcing an app whitelist and blacklist, mandating device PINs/passcodes, maintaining inventory and remotely wiping lost or stolen devices.
While MDM enables administrators to securely configure the device and set device-level policy such as requiring pass codes and encryption, it doesn’t provide visibility into mobile app risks. And that’s why organizations must layer on the next preventative measure, app vetting.
3. Perform mobile app vetting to choose secure apps.
Some organizations have upwards of 50,000 apps inventoried in their MDM systems. But how do they know which apps are safe, which have high-risk vulnerabilities or privacy exposures, and what countries their data traverses? Enter mobile app vetting, which is typically provided as a third-party cloud subscription service.
Such mobile app vetting services help managers enforce policy by feeding EMM systems with data about apps to whitelist or blacklist. Mobile app vetting focuses on testing and identifying risky mobile apps, preventing risk and data loss such as from from sensitive data leakage, man-in-the-middle attacks, cert validation failures, remote code execution and more sideloaded apps that bypass the app store protections.
A skilled security analyst with the right tools can evaluate perhaps one to two mobile apps per week. That equates to 50 – 100 of your most mission-critical apps per year, leaving more than 99% of installed apps untested for security flaws. And don’t forget the need to test each version. We’ve seen instances of an app with a high security score plummet when the addition of a single software development kit (SDK) introduced a remote code execution vulnerability.
Keeping up with that scale is overwhelming. A staggering 194 billion apps were downloaded globally in 2018, according to AppAnnie’s “State of Mobile 2019” report. Meanwhile, AppBot reports that the median number of days between updates for top apps on the App Store is 18 for free apps and 55 for paid ones, which means that cycle times are even faster for roughly half of the apps. The only way to test this volume is with automation.
Unless they deploy a third-party mobile app vetting service or automated mobile app security testing, agencies are flying blind to potentially massive risks in security, compliance and privacy issues. Proactively vetting and testing an app before you deploy it is the only way to truly reduce risk.
NowSecure offers a solution that takes advantage of our proprietary dynamic, automated test engine to provide security scores and detailed assessments for apps published to the Apple® App Store or to Google Play™. Learn more about our mobile app vetting solutions and professional services risk assessment offerings here.
Not only is the service easy to use, but it requires no configuration and doesn’t need an additional app to be install and maintain on endpoints. This significantly reduces cost and operational complexity. You can immediately get started searching, monitoring and downloading reports without source code or the app binary.
Once the basic protective measures are in place, some agencies may opt for additional technology to fulfill edge cases. For instance, those with staff who travel internationally may wish to consider exploring mobile threat detection (MTD) to monitor for SMS phishing and unsafe Wi-Fi hotspots.
But these initiatives on their own won’t be effective in guarding against the majority of threats. It’s akin to installing an Internet-of-Things security camera at your front door but leaving it unlocked. Sure the footage can help catch an intruder, but not before he or she burglarizes your home.
It’s much the same way with mobile app security and why we emphasize the importance of implementing proactive safeguards rather than responding to threats after the fact.