Jan 25, 2016
Mobile Security: Secure App Spaces
In this episode of the Life in the Mobile Enterprise (LiME) podcast, Reinhard Schumak, VP of Public Sector Solutions, discusses how to create secure app spaces on mobile devices. First he explains the typical security concerns and attack vectors and then describes security measures that can be taken at both the device and app level that even federal governments and militaries can trust.
Email feedback to email@example.com
As employees, business partners, and contractors look for new ways to use enterprise apps and data to do their jobs, the transmission, storage, and use of corporate information makes data and apps vulnerable. To help protect corporate data and apps, organizations should take a three-dimensional approach to mobile security. Specific steps should be taken to protect devices, networks, and apps. It’s not just about protecting one element or the other. Mobile security requires a comprehensive approach in order to protect sensitive corporate apps and data.
CIA: Confidentiality, Integrity, Availability
The U.S. federal government takes a comprehensive approach to security by classifying all of their information as “CIA”—the confidentiality, integrity, and availability of data. No companies or consumers will want to do business with your organization if confidential data is exposed. Integrity explores which data gets corrupted and what the resulting impact is. Meanwhile, availability speaks to the quality of the network that’s available and how much storage is set aside for the information to be stored locally.
Two Typical Attack Vectors
There are typically two security attack vectors for administrators to be concerned with. One is at the app level while the other is at the device level. At the device level, an attack can result in a modification of the operating system that allows data to be extracted. This can apply to data that’s compartmentalized by the operating system that cyber criminals are able to intercept. Security breaches can also occur on the application level where an app or the data within an app can be compromised. This can sometimes occur with so-called ‘man in the middle’ attacks when an app is compromised over a network.
App & Device Security Measures
Fortunately, there are a number of security measures that can be taken to protect corporate data and enterprise apps. One mobile app security check that’s built into some apps is that the app can check to see if the device has been compromised before it is permitted to open. Companies in the defense industry have taken a comprehensive view of combining security between the device and the app level. This way, a device can be configured so that it won’t launch if an app is found to be compromised. At the device level, the boot process can also be secured. For instance, Samsung has Secure Boot and Trusted Boot capabilities that verify both the authenticity and integrity of the bootloader modules and the Android kernel. Another recommended security measure is to have any data that an app writes to a device be encrypted. To some extent, administrators can enable encryption on a device level and that’s a good practice. But in some industries such as the federal government, it’s also useful to have second level of encryption in place. This can ensure that for certain types of apps there is a second layer of protection. For instance, if a person has a 911 app for emergency situations, this is the type of app that should respond quickly without complex authentication. But for an app that requires certain levels of government security clearance, a higher level of authentication can be applied. A device VPN component is another security layer that can be applied. At the VPN level, a device can be filtered so that only certain apps are permitted to deliver information into a secured enterprise network. Additional steps that can be taken on the device level include encryption that can be applied through a strong passcode. Another approach is the ability to disable pre-installed apps. This can be applied to a device that the organization has provided to users, such as a device that’s used to monitor an industrial flow meter where perhaps only a few capabilities need to be enabled. To make all of this manageable, there needs to be an easy way to apply security and usage policies. With some software vendors, a software developer kit (SDK) is required involving a review process to ensure that any changes made to the software code still allows the app to work. At Apperian, we believe a more administrator-friendly approach is app wrapping, which allows enterprises to secure sensitive data by wrapping policies around third-party apps without having to go back to the original developer to make changes to the code. App wrapping not only reduces costs, it also reduces the time that’s needed to review apps.