Weak server controls make mobile applications further susceptible

By Sharath Kumar

BANGALORE, INDIA: Smartphones and mobile Internet have become the de-facto and first point of interface to the external world today. Businesses and consumers are riding on the power of mobile, exposing themselves to a number of mobile application vulnerabilities.

The mobile device world is characterized by a plethora of devices, screen resolutions operating systems, operators and locations. In a world that is comprised of tens of thousands of different client devices and over 400 operators around the globe, testing your mobile application and ensuring its secure can become a real problem.

In an interaction with CIOL, Sai Chintala- SVP, Global Pre-Sales and Enterprise Solutions Group, Cigniti Technologies, talked about the common attack possibilities on a mobile. Excerpts:

CIOL: What are the common attack possibilities on a mobile platform witnessed today? Are they serious?

Sai Chintala: A mobile device is often designed (and used) for means of communication; hence, it is not a surprise that, most common attacks happen via malicious applications utilizing the communication channels such as Email, SMS, Bluetooth, TCP/UDP sockets, etc.

While weak side server controls make mobile applications further susceptible, the inherent vulnerabilities known in web application world would also be attributed to the mobile application world too. This reduces the risk appetite for mobile applications. For example, if a malicious application can access the SMS that is being sent to the banking customer, it would allow the attacker to access the unique transaction code needed for authorizing financial transaction and bypass the multilayer authentication designed by the banks.

CIOL: Today, every enterprise is moving to the mobile platform. How do you see their apps from security perspective?

SC: In the wake of increased adoption of mobility platform, security has definitely become one of the biggest challenges at CIOs' hands. Most of the challenges revolve around three issues: Device and app control, heterogeneity of devices and data security.

Recent research report from Forrester on the ‘2013 work force adoption trends' confirms that the global work force as anytime, anywhere information work force. Research also confirms that these workers use at least three or more devices, work from multiple locations and use more than a minimum of 10 apps.

 

Hence, it is quite evident that the emergence of Bring your own Device (BYOD) policies have caused enterprises to take a holistic view of mobile application security. Access control, device rights, application management, logging, reporting, location-based identification, and workflow driven access, approvals, etc., call for a stringent security strategy. On an average, a mobile worker has at least three different layers of access to the corporate IT applications from inside, outside and while on the move.

Wireless LAN systems are also under tremendous recourse owing to the BYOD. Moreover, devices need to be tracked constantly whenever corporate information is being accessed. To ensure visibility and governance on mobile applications, their users, their roles and their access needs and patterns, enterprises give high priority to mobile device management software.

CIOL: Do you see a need for enterprises to move to newer ways of testing mobile applications and software with a faster turnaround time?

SC: Since the use cases are becoming much more diverse and complex, testing end to end mobile applications that touch enterprise IT systems and software has become a time consuming affair.

Automated approach is not the only quick fix. It is important to understand the implications from an IT usage stand point since the disparity between information consumption, information exchange and information production have to be considered while new age enterprise grade mobile applications are tested. With a mobile first approach, the conventional web based application testing becomes secondary now. Faster turn around times are expected considering the pace at which app updates can get through the inner layers of enterprise through employee used devices.

CIOL: Will the roll-out inward facing and vertical specific enterprise Appstores over the cloud help in mitigating security challenges?

SC: Inward facing Enterprise App Stores definitely help IT to have better control on the type of applications that the employees would want to access, use and produce. In fact, companies are producing vertical specific, need specific and business specific apps and are deploying in an all- cloud, virtualized and access controlled environments.

Companies are using state-of-the-art mobile device management software to ensure that these applications are managed and governed from end to end perspective. However, in spite of the security measures, applications do pose security challenges from access control, location oriented and device fabric standpoints. Most vulnerabilities occur when information hand off happens while employees and work force seamlessly move from different zones, locales of access.

To ensure ensure companies stay ahead in the curve, it is crucial to have a comprehensive understanding of the business use case and strong mobile application security testing expertise. While it is very important for organizations to adopt BYOD and Inward facing Enterprise App Stores to control unwanted access, information exchange; it is even more vital to implement a comprehensive security testing approach while different enterprise applications are being touched upon.

Also, in BYOD 2.0, the emerging phenomena, reports indicate a shift from device level to application level. This gives enough amount of control on the software management and security standpoint, which if handled well can be a highly productive phase for businesses which leverage Enterprise App Stores. Needless to say, success lies in having a specialized service partner who can help enterprises conduct comprehensive security testing that accommodate these changes.