With the increasing number of businesses betting on mobile computing, it's critical to understand the security implications of your sensitive data. HTC Global Services' Practice Head –Mobile CoE, Venkat Alagarsamy shares these tips.
5 Ways mobile applications are extremely vulnerable and least secured
Unlike web applications where the security is implemented at the server level, for mobile apps the security is installed in the device that could be reverse-engineered and exploited
- As a lot of sensitive data resides on the device, the same can be easily extracted by using the right tools
- Reverse engineered apps on open-source platforms can be repackaged with malicious code and redistributed
- There is minimal or no control over using enterprise apps on jail-broken /rooted devices
- Mobile apps are often used in less secured / unsecured public networks and Wi-Fi zones
Top mobile vulnerabilities that might compromise enterprise security
- Connectivity using unsecured protocols
- Offline corporate data residing in the devices
- Weak Encryption techniques
- Losing the device
- Weak or no password protection to open the device or to use the application
- Building applications that could be easily re-engineered
- Inadequate, improper or no enterprise mobile application security strategy /policy
- No enterprise wide mobile device /application management
- Malicious mobile apps from unauthorized sources / stores
The real loss of the device happens due to the device getting stolen at public places - restaurants, work locations, public transport bus /train etc.
This happens mostly between 12 PM and 5 PM. Device loss or device theft results in loosing identity, productivity, company data, money, credibility, etc.
15 Best practices that corporates follow to ensure data security
1. Installation Protection – Restrict installation authorization only on non jail-broken or non-rooted devices and subsequently disable running the app if the device is jail-broken or rooted after installation
2. Enable Application Expiration – Enable the application to run only for a specific period before it is set to time-out due to inactivity
3. Authentication – Build a proper authentication process like SSO, device authorization, biometric verification, etc.
4. Device Data Encryption – Implementing stronger encryption algorithms like FIPS 140-2 and Suite B for sensitive and user-critical data
5. Data Connection Encryption – Use of strong encryption algorithms for data transferred OTA with absolutely no compromise on keys.
6. Application Connectivity protocols – A protocol to give access to only its specific functionality and not the entire device.
7. Copy /Paste and Screen-shot Protection – Disable copy /paste option and /or screen-shot data capture within the application
8. Remote Wipe – Application should have the feature that would remotely wipe the data without MDM
9. Data Integrity Check – Build an algorithm that verifies the data integrity to avoid any worm data that is part of the data model
10. Application Integrity Check – At the time of app login, calculate the checksum of the app with the checksum of the app when it was first downloaded to check for integrity
11. Auto update – Verify the new versions of an app and facilitate for the automatic updating of the application to keep in line with bug fixes and security enhancements
12. Log Enabling – Enable app logs to track user activity and capture crash logs and share it with mobile apps admin without the intervention of user
13. Track application usage and analyze – Track application usage data and share it with mobile apps admin
14. Implement MDM and MAM tools that best addresses the enterprises’ needs. Air-Watch is one of the best MDM tools. WSO2 is an MDM tool and is licensed free.
15. Install sound antivirus protection tools on mobile devices
4 New methods vendors are embedding into their devices for enhanced security
- Improved authentication using finger-print, face authentication, voice authentication etc. Vendors are investing hugely to come up with better authentication methods – for example, body authentication etc.
- Vendors are improving the encryption methods for data connectivity and local data storage
- New methodologies, process, and workflow are getting implemented in authorized stores to identify malicious applications
- Still the big challenge of tracking lost /stolen devices exists. Vendors should build stronger techniques to track stolen /lost devices
- Newer encryption techniques 2. Mobile Locks 3. Device tracking and Remote wipe 4. Mobile activity Monitoring and Audit 5. Proactive data management using Big Data
--N e x t: 2 Latest Indian mobile security breaches
2 Latest Indian mobile security breaches
1. Security Researchers at F-Secure Corporation, an antivirus firm, have conclusively shown that Xiaomi RedMi 1S handset sends a lot of personal and sensitive data to the "api.account.xiaomi.com" server located in China, and this includes:
- IMEI Number of your phone
- IMSI Number (through MI Cloud)
- Your contacts and their details
- Text Messages
2. A German security firm stated that the low cost and popular Chinese Android Smartphone, Star N9500, comes pre-installed with a Trojan that allows the manufacturer to perform unrestricted spying on their users’ personal data and conversations without the users’ knowledge.