Although Bring Your Own Device (BYOD) has gone mainstream (74% of businesses are adopting BYOD http://www.zdnet.com/article/research-74-percent-using-or-adopting-byod/#!) and delivers advantages to small businesses as well as employees, the security challenges around BYOD are still numerous with many unresolved. Up next, we will see the adaptation of Bring Your Own App (BYOA).
BYOA provides an opportunity to get out ahead of the adoption curve and instead of being reactive around BYOD security, businesses can become proactive in adopting security controls around BYOA. Let’s face it, we live in an app culture, and business needs to innovate, so the time is now to prepare for this trend.
There are three critical points a business must address when adopting BYOA:
- Identify App security requirements and policy
- Understand the types of vulnerabilities
- Establish standards to determine if an App is suitable for deployment in the business environment
Among the advantages of mobile Apps are real time sharing, and nearly unrestricted mobility. These are compelling drivers for adopting a BYOA strategy. However, mobile Apps are heavily consumer driven and in the Android market for example, are susceptible to dangerous vulnerabilities. There have also been numerous instances of fake Apps in the marketplace which masquerade as legitimate Apps from reputable companies. Although many Apps are “free,” often the hidden costs are sharing of personal or sensitive information, primarily because they are consumer driven.
As with any information security area, mobile App security begins with assessing risk which leads to policies. The business, AKA revenue producers, are going to have business requirements which drive mobile App adoption, and IT and security teams need to be out front understanding those needs and requirements. Then, a comprehensive risk assessment can be produced which presents to the executives and business owners the risks and potential mitigation controls. Finally, a policy can be adopted and security standards and requirements developed which align with the needs and requirements of the business producers.
Examples of security requirements include determining and enabling functionality, preventing unauthorized functionality, limiting permissions, and protecting personal and/or sensitive data.
Mobile Apps share many of the same vulnerabilities as traditional applications. However, unlike more traditional applications, mobile apps can and do share very sensitive information such as photos, audio, personal information as well as sensitive business information. The benefits are many, although the vulnerabilities and risks even greater.
What are some of the vulnerabilities associated with mobile Apps which a business must be aware of when assessing risk?
- Permissions which allow the application to perform functions and gain access outside of the intended or reasonable scope of the application. Some examples may be gaining control of the camera, GPS, or other functionality when not required for the core purpose of the application.
- Collusion which means applications sharing data with other applications beyond the reasonable scope of either App.
- Dangerous functionality might expose core resources and low level system APIs of the mobile device exposing personal or other sensitive information.
- Potentially exposed communication channels not clearly visible to the user such as wireless, Bluetooth, or near field communication. Sensitive information could be unknowingly transmitted or external information could be used to corrupt sensitive data on the device.
- Traditional software vulnerabilities shared with other traditional applications are also a vulnerability if mobile Apps.
What factors go into the development of security standards and suitability for mobile apps?
- Establish and document security controls for mobile hardware and operating systems. Examples include encrypted file systems, as well as security settings which can be controlled by the specific device
- Understand the risks: What sensitive data is stored, collected and/or transmitted?
- Determine the criticality of the App and include in the organizations Business Impact Analysis if critical to core business processes.
- Is there a mobile device management (MDM) solution in place? What security features can be implemented and managed from this solution? If no MDM in place, consider implementing one.
- Educate staff and include mobile App security as part of regular security awareness training
- Consider retaining the services of an application testing provider to handle the vetting of mobile Apps prior to approval and implementation.
- Monitor public sources of mobile App vulnerabilities to stay up to date of potential security impact affecting mobile devices.
BYOA and mobile Apps can provide a business with operational efficiency, cost advantages, and competitive advantage. However, failure to identify and mitigate risks can negate all of these advantages and expose the business to substantial harm. By all means, ride this next wave of disruptive technology and leverage the advantages. However, exercise the due care and address the risks to make the journey a secure one where security is baked in vs bolted on.
Ted Lloyd, CISM