Mobile application security How security and privacy issues can derail mobile applications. Whitepaper

Similar documents
5 signs you have outgrown your Microsoft Access application. whitepaper

part I Why 70% of software projects fail and how you can ensure success

Guideline on Safe BYOD Management

Managing internet security

Absolute Software. Complying with Australian Privacy Law: Protecting Privacy with Endpoint Security WHITEPAPER. Table of Contents.

Mobile Devices in Healthcare: Managing Risk. June 2012

A HELPING HAND TO PROTECT YOUR REPUTATION

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

PORTABLE DATA STORAGE SECURITY INFORMATION FOR CIOs/CSOs Best Before November

Specific recommendations

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

Need to be PCI DSS compliant and reduce the risk of fraud?

Mobile Application Threat Analysis

Understanding and evaluating risk to information assets in your software projects

Bring Your Own Device Policy

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Data Protection Act Bring your own device (BYOD)

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Managing Mobility. 10 top tips for Enterprise Mobility Management

A practical guide to IT security

Overview of the HIPAA Security Rule

10 Quick Tips to Mobile Security

A guide to enterprise mobile device management.

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Are you prepared for the BYOD (bring your own device) movement?

Reducing the cost and complexity of endpoint management

How To Manage A Mobile Device Management (Mdm) Solution

Mobile Security Standard

Information Security It s Everyone s Responsibility

Kaspersky Security 10 for Mobile Implementation Guide

BYOD in the Enterprise

How To Protect Decd Information From Harm

Multi-factor authentication

The Bring Your Own Device Era:

Mobility, Security Concerns, and Avoidance

Building an Effective Mobile Device Management Strategy for a User-centric Mobile Enterprise

Trust Digital Best Practices

DESTINATION MELBOURNE PRIVACY POLICY

Leveraging Privileged Identity Governance to Improve Security Posture

Introduction to Security

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

White Paper. Data Security. The Top Threat Facing Enterprises Today

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

Remote Access and Network Security Statement For Apple

IBM Endpoint Manager for Mobile Devices

Small businesses: What you need to know about cyber security

Btech IT SECURITY SERVICES. Financial Mobility Balancing Security and Success

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Enterprise Mobility & BYOD: Four Biggest Challenges And How to Solve Them WHITE PAPER

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

SECURING TODAY S MOBILE WORKFORCE

Cloud Computing and Records Management

Protecting Your Organisation from Targeted Cyber Intrusion

Elevation of Mobile Security Risks in the Enterprise Threat Landscape

Security Testing. How security testing is different Types of security attacks Threat modelling

Cyber Threats: Exposures and Breach Costs

Small businesses: What you need to know about cyber security

CHILL IT SUPPORTING YOUR BUSINESS INFORMATION TECHNOLOGY FOR YOUR BUSINESS

Mobile Device Management for CFAES

Are your multi-function printers a security risk? Here are five key strategies for safeguarding your data

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

Mobile Security: Controlling Growing Threats with Mobile Device Management

Bring Your Own Device (BYOD) and Mobile Device Management. tekniqueit.com

Consumer Device Policy (Smartphones / Tablets) BYOD (Bring Your Own Device)

Microsoft STRIDE (six) threat categories

SecureCom Mobile s mission is to help people keep their private communication private.

Cloud security: A matter of trust? Dr Mark Ian Williams CEO, Muon Consulting

Threat Modeling. 1. Some Common Definition (RFC 2828)

Bring Your Own Device (BYOD) and Mobile Device Management.

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

Choose Your Own Device (CYOD) and Mobile Device Management. gsolutionz.com

Guideline on Access Control

10 best practice suggestions for common smartphone threats

IT OUTSOURCING SECURITY

HIPAA Security Alert

Opinion and recommendations on challenges raised by biometric developments

IY2760/CS3760: Part 6. IY2760: Part 6

How To Protect Your Business Information From Being Stolen From A Cell Phone Or Tablet Device

SENIORS ONLINE SECURITY

White Paper. The benefits of a cloud-based service for web security. reducing risk, adding value and cutting costs

Applying the legislation

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

TECHNOLOGY BRIEF: PREVENTING UNAUTHORISED ACCESS TO CRITICAL SYSTEMS AND DATA. Colruyt ensures data privacy with Identity & Access Management.

How-To Guide: Cyber Security. Content Provided by

Information Technology Security Review April 16, 2012

GUIDE TO PROTECTING YOUR BUSINESS

Administrative Procedures Memorandum A1452

Outsourcing and third party access

GUIDE TO MANAGING DATA BREACHES

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Visa Debit & Prepaid Card Access Terms and Conditions As at 1 August 2015

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Mobile Device Management (MDM) Policies

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Recall the Security Life Cycle

Transcription:

Mobile application security How security and privacy issues can derail mobile applications Whitepaper

2 Introduction Today, many organisations are rushing to develop mobile applications, to remain competitive within their industry. In fact, the rate and speed at which applications are being pushed into the marketplace is phenomenal and if you haven t been participating, the sense of urgency to follow suit is understandably strong. While most organisations should be considering developing a mobile application, a word of warning: in the rush to deliver applications quickly, on a limited budget, many organisations (including some multinational companies) have overlooked critical security considerations. This can potentially harm a company s brand and reputation, and negatively impact their bottom line. Users are also increasingly demanding secure mobile applications. Understandably organisations hesitate because it usually means project time and cost increase, sometimes substantially. However, there needs to be a happy medium to accommodate the very real security concerns of customers and equally the need to secure competitive advantage quickly for organisations. This whitepaper looks at some of the security challenges and the very real security risks associated with developing mobile applications. It also provides some real-world examples of companies that failed to take proper measures. Most importantly the whitepaper outlines some solutions that enable you to develop and deploy mobile applications relatively quickly while still ensuring your customers privacy and security is adequately protected.

3 Mobile statistics Over 46% of Australian mobile users are now using smartphones to shop smarter, connect with social networks and interact with organisations Of the world s 4 billion mobile phones, 1.08 billion are smartphones and this number is growing daily (The Social Skinny) Security challenges When developing mobile applications, organisations need to consider three main issues: privacy, compliance and loss of devices. These challenges pose potential security risks to both the organisation, in terms of company image, and the user, in terms of lost data. As organisations are pushed to deploy mobile applications across multiple platforms, they are also faced with the issue of standardisation. That is, each platform differs in terms of the functionality offered and the development process will change depending on the platform utilised. This adds to the security challenges and requires organisations to consider the strengths and weaknesses of each platform as part of the application development process. To illustrate: customers in the US were outraged when they discovered that Citibank s iphone app was storing data on their devices. This had a vast array of privacy implications and as such negatively impacted Citibank s corporate image (Banktech). In order to prevent this from occurring, it is imperative organisations consider the privacy of their consumers and how to incorporate this into the development of mobile applications. Specifically, the possibility of a privacy violation should be considered at each stage of the development lifecycle and contingency plans (such as the STRIDE model, discussed further on) should be established to ensure the viability of the mobile application. COMPLIANCE WITH LAWS In addition to ensuring consumer privacy, organisations also need to comply with certain rules and regulations as outlined by consumer laws. Development of banking applications, for example, are at greater risk of breaching certain laws such as those relating to fraud in the Criminal Code Amendment (Theft, Fraud, Bribery and Related Offences) Act. At one point, Google had to remove a number of applications from their marketplace (Google Play) as they were seen to be non-compliant with certain When planning for, and building mobile applications, security should be of paramount consideration. If not considered, and things go wrong, it could result in a backlash and potentially harm the relationship between an organisation s brand and its customer. As such, you should consider the following challenges when developing mobile applications: PRIVACY A leading concern when purchasing mobile applications is that the vendor honours the customer s right to privacy. This is a thorny issue and should be top of mind when developing applications or you risk the repercussions associated with ignoring such requests.

4 regulations. These applications were built by an anonymous developer who committed banking and credit card fraud by creating false banking applications in an attempt to exploit information on consumers devices (Banktech). Because of these issues, organisations need to find new ways to develop mobile applications that comply with regulations, and to protect consumers from false applications. To that end, some organisations have found code signing to be a good solution. Code signing verifies the mobile application author s identity and ensures the code hasn t been changed or modified since it was signed by the author. Code signing delivers authentication and development integrity. DEVICE LOSS One of the main concerns associated with mobile phones is loss of devices and the resulting security implications. Loss of a device, whether it be due to misplacement or theft, is often associated with loss of important data (e.g. bank details, personal items such as contacts and images, and applications). Losing a smartphone means cancelling credit cards, remotely deleting data and generally inconveniencing and aggravating the customer (The Atlantic). Smartphone providers have responded to this situation by offering services such as the remote lockdown capability which easily shuts down the phone and all the information stored on the device (IT News). Another solution to this security concern is that of collaborative stolen phone databases. This is collaboration between mobile phone providers and the police to create a database where stolen phones can be easily tracked and then bricked or made essentially unusable by the thieves or others. When developing mobile applications, you should take into consideration which devices and platforms will enable the most security for your customers in the event they lose their smartphone. While no mobile platform is immune from security vulnerabilities and management limitations, some platforms are more mature than others in supporting the most appropriate set of policies required by different mobile roles within organisations (IT News). Mobile security statistics Each year in Australia more than 200,000 mobile phones are reported lost or stolen. This equates to 4000 each week or one mobile phone handset every three minutes (Australian Mobile Telecommunications Association) 37% of the applications that were published on Google Play were later removed for a variety of reasons while Apple has removed 24% of published apps (TechCrunch)

5 Solutions to help secure mobile applications THREAT MODELLING STRIDE Organisations can securely develop mobile applications by engaging in contingency planning such as threat modelling. Threat modelling involves describing a set of security aspects by defining a possible set of attacks that may occur. The model helps assess the probability, potential harm, as well as the priority of security attacks, and helps to minimise these threats (Microsoft TechNet). Security can be integrated into the mobile application development cycle through techniques such as STRIDE, where threats can be defined into the following threat categories: Spoofing identity method of illegally accessing and using another user s authentication information Tampering with data deliberate destruction or manipulation of data Repudiation when users deny performing an action without other parties having any way to prove otherwise Information disclosure exposure of information to individuals who are not supposed to have access to it Denial of service form of sabotage that makes applications unavailable to authorised users Elevation of privilege user obtains privileged access to portions of the application or data that are normally inaccessible to them and thus potentially enabling them to compromise or destroy the entire system Engaging in STRIDE arms the mobile application developer with new levels of clarity and understanding so that risks can be mitigated or circumvented. CODE SIGNING A key consideration when developing mobile applications is to determine which marketplaces the application will be deployed to. In some instances, it is relatively easy to develop and deploy an application to certain markets, such as Google Play, but could still create a risk to consumers. This is because the identity of publishers is difficult to determine and consumers can t tell the difference between applications released by an established company and applications built by a third-party. On the other hand, other markets like Apple s App Store, enforce a stringent approval process for all applications (Banktech). But conversely, this could increase deployment times which can affect a company s competitive edge if products or services are not delivered into the marketplace fast enough. The dilemma of the time versus security trade-off provides some food for thought and invites careful consideration. One alternative method being undertaken by advanced mobile software platforms is to use code signing to control the software allowed on mobile networks. Certain app stores, such as the Windows Marketplace, requires code signing technology (as mentioned earlier), whereby a digital signature validates the source of the code and confirms the code hasn t been tampered with or modified (Network World). This increases the efficiency of the deployment process while still providing consumers with security. If the code is from a trusted source, it will be signed-off and automatically accepted in the marketplace. In the event

6 the code comes from an untrusted source, a security warning will prompt the consumer to view the signature information and use their own judgement to accept or deny the application. The implementation of code signing for mobile applications means that consumers, application developers and publishers, and network operators needn t feel they have to compromise security in their rush to take advantage of opportunities in the mobile application space. COLLABORATIVE STOLEN PHONE DATABASE To overcome the challenges associated with lost or stolen devices, governments work with wireless telecommunications providers to create a centralised database of stolen phones identified by their serial number. Once these phones are identified, they will be denied access to the telecommunication providers networks (The Atlantic). This creates a protective layer around the consumer s stored data and ensures privacy while security concerns are mitigated. Conclusion Although many organisations are focussed on compressing further the development time of mobile applications, it is important to consider the associated security implications this may cause for both your company and most importantly your consumer. As you can see, it s extremely important to examine security issues, such as privacy, compliance and lost devices throughout the mobile application development lifecycle, as it is easier to mitigate these risks if they re initially taken into account. Additionally, organisations need to continually monitor these risks and employ methodologies, such as threat modelling, code signing and participation in collaborative databases to effectively maintain a competitive edge in the mobile marketplace. In addition to this, governments have established education programs focused on mobile consumer privacy. These courses will demonstrate how to remotely lock phones, delete personal information and track the location of devices.

7 References: How to build a secure mobile app Matt Gunn (Banktech) http://www.banktech.com/risk-management/231001058 Wireless competitors are banding together to reduce cellphone thefts Megan Garber (The Atlantic) http://www.theatlantic.com/technology/archive/2012/04/wireless-competitors-are-banding-together-to-reducecellphone-thefts/255670/ BlackBerry tops enterprise mobile security survey SC Staff (IT News) http://www.itnews.com.au/news/296756,blackberry-tops-enterprise-mobile-security-survey. aspx?eid=1&edate=20120413&utm_source=20120413_am&utm_medium=newsletter&utm_campaign=daily_ newsletter Secure mobile applications an oxymoron? Marcus Perryman (Microsoft TechNet) http://technet.microsoft.com/en-us/library/cc512575.aspx Using code signing to secure mobile apps Jay Schiavo (Network World) http://www.networkworld.com/news/tech/2011/021411-code-signing.html 100 social media statistics for 2012 Cara Pring (The Social Skinny) http://thesocialskinny.com/100-social-media-statistics-for-2012/ Mobile security statistics and quick facts (Australian Mobile Telecommunications Association) http://www.amta.org.au/pages/amta/mobile.security.statistics.and.quick.facts 37% of published Android apps were later removed, compared to 24% of ios apps Robin Wauters- (TechCrunch) http://techcrunch.com/2011/10/21/37-of-published-android-apps-were-later-removed-compared-to-24-of-ios-apps/

AUSTRALIA P: 1300 55 30 50 Sydney: Intercom 201/ 83-97 Kippax Street Surry Hills NSW 2010 Melbourne: South Rialto Tower 27/F, 525 Collins Street Melbourne VIC 3000 Brisbane: Riverside Centre 18/123 Eagle Street Brisbane QLD 4000 E: info@solentive.com W: www.solentive.com Copyright Solentive #a00003 R: 160 G: 0 B: 3 #546150 R: 84 G: 97 B: 80 Solentive Technology Group is a collection of businesses focusing on solving business challenges with software technologies. From IT strategy to user-friendly custom systems and on-demand mobile applications, Solentive s services span the entire software technology lifecycle. Solentive products and services mentioned herein are registered trademarks of the Solentive Technology Group. All other product and service names mentioned are the trademarks of their respective owners. Data contained in this document serves for informational purposes only and is correct at time of printing. These materials are subject to change without notice.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information