By Chris Clark and Chad Butler
In today’s world of born-on-mobile businesses, it’s becoming incredibly easy for a developer—whether they work for a multinational enterprise or co-founded a startup in someone’s garage apartment—to create a mobile application (app) and quickly deploy it to the market. As we saw with the gaming sensation Flappy Bird, these apps can skyrocket overnight to stardom, garnering hundreds of thousands of downloads within days. While it can be considered easy to build and deploy an app, it can be as equally challenging to make it secure.
Each day, hundreds of thousands of smart device users download apps without a second thought to their privacy, leaving all of their data—both personal and employer data—vulnerable. While some might argue we need to better educate consumers, education won’t necessarily mitigate the risk completely. In fact, Gartner predicts by 2017, 75 percent of mobile security breaches will result from mobile application misconfiguration or misuse.
Security at the Developer Level
With the number of smartphones and tablets steadily increasing, we need to start thinking of incorporating security at the developer level, working it into all gaming, business, and personal apps from the initial build cycle. Companies can’t let the fate of their data continue to rest on end-user responsibility, no matter how secure the app or how careful consumers are. We need a more flexible way to monitor and protect our data to be prepared for the inevitable, whether it be a stolen device, a hacked tablet, or a lost smartphone.
There are three key ways that developers can build and deploy mobile apps that include sensitive data with security in mind, including encouraging developers to think security, leveraging flexible infrastructures, and implementing an appropriate mobile policy.
Security IT leaders need to spend more time with developers and engage with them on a regular basis. In traditional settings, developers build an app then send to the security team to poke holes in the development to be fixed before deployment. However, nothing is more frustrating to developers than a late find of a security issue. Educating developers on the associated risks and working closely throughout the application development process creates trust between developers and the security team and brings security top of mind when building applications. For example, at Fiberlink, we even offer developers a software developer kit to build secure mobile applications from scratch.
Once an app is developed it must be tested in specific environments before being deployed. Security leaders can work with IT to build secure cloud environments flexible enough to adjust to the different aspects tested for specific applications. For example, at Concur offers mobile apps that complement our Web-based solution, and are designed to manage expenses and travel-related bookings and itineraries. However, dealing with sensitive payment information means we need to ensure this data is stored securely. To test a payment function on a mobile sales app, the test team can leverage a cloud environment designed with specific security patterns to examine how the app will respond to multiple failed log-in attempts—a possible signal of a hacker.
Building with security in mind is critical, but the last line of defense really lands with your employees. Once an app is deployed, it is important to make sure your employees are equipped to use it appropriately. Lay down rules for your employees to ensure the security measures in place will remain effective. It’s best to enforce a “no jailbreaking” rule so that phones on your network are not compromised by a phone without an initial security blanket equipped on them by the manufacturer. Making sure phones run on the appropriate versions of platforms and/or operating systems is also crucial to ensure they receive necessary security updates.
Fiberlink and Concur follow these rules when building and deploying mobile apps that involve sensitive data.
Properly Securing App Data
Overall, many steps go into properly securing data in today’s mobile world, but these are just a few we need to implement to secure mobile applications. With 91 percent of adults owning a mobile device, taking the steps to bake security throughout the mobile development process and your organization is an absolute must in keeping your data secure and providing safe products for your customers. SW
Chris Clark is the president of Fiberlink/IBM MaaS360 and Chad Butler is the security and risk manager at Concur Technologies.
Nov2014, Software Magazine SWM3004