Addressing Mobile Application Security

www.mobilereach.com

• Introduction

• Understanding the Enterprise Environment

• Security Concerns in Enterprise Mobility

• What is Important

• Specific concerns with HTML5

• What to remember

• Wrap up, Q&A

2

Welcome!

• Security is by far the most important enterprise

mobility adoption challenge for CIOs, according

to a recent survey

• However… according to 2012 Information Security

Breaches Survey

Only 39% of large organizations encrypt data

downloaded to smartphones and tablets

38% of large businesses do not have any kind of

program for educating their staff about security risks.

26% of respondents with a security policy believe

their staff have a very good understanding of it, while

21% think the level of staff understanding is poor.  3

Introduction

• Crucial to have right policy and tools in place

• Implementation of a clear mobile security

policy will contribute to success

• New technology useful for solving some

problems, MDM, etc.

• However, securing mobile apps from the

ground up and with the right policies and

procedures in place will ensure all bases are

covered. 

4

Introduction

• The Corporate / Organization perspective:

Enterprise responsibility

Balance between risk and reward

Employee impacts

• Security concerns within your Mobile Strategy

• Taking advantage of technology to create secure

processes

• HTML5 risks

• The Mobile Reach approach5

Enterprise Mobile App Security

Mobile Environment

6

What is an Enterprise Mobile App

Enterprise Environment

data

data

data

4

2

3

1

AREAS OF SECURITY CONCERN!1. Network hacker “listens” to my

data2. Device data exposed3. Unauthorized person gains

access to data4. Unauthorized network access

after hacking device

• Your Organization cares about Protecting

Enterprise Data in the hands and on the

devices of mobile users

What is the data? How sensitive is it?

How bad is it if the data gets lost or into the “wrong”

hands?

• Your Organization cares about keeping

malicious users and other threats OUT of

the Corporate network

How to limit the threats?

How to minimize damage upon a breach?

7

What is Important?

• What happens if a user loses his/her mobile

device? How do we prevent sensitive or confidential

information from being exposed?

How do we prevent an unauthorized user from using

the device / its applications?

• How do we prevent a malicious user,

application, or virus from infecting our

corporate network?

• How do we protect the corporate entity from a

legal situation (being sued)?8

Security in your Mobile Strategy

• Think twice about pushing sensitive information

to the mobile device. Does the mobile user need

it to do his job?

• Is it possible to minimize the sensitive data to a

point where exposure is very low risk?

• Whenever neither is possible:

Encrypt the data in all over-the-air transport

Encrypt the data at rest on a mobile device

Have procedures in place to detect/inform as soon as

data is at risk

Use remote –wipe and device tracking features ASAP9

Mobile App Considerations

Your Mobile Strategy MUST include: Security Policies and Procedures for your PEOPLE

NETWORK Security and Policies to control access

Mobile DEVICE Management

Data RISK ANALYSIS for your mobile apps

Data PROTECTION for all sensitive data

10

Addressing Security Concerns

Security Policies and Procedures: BYOD requirements, including remote wipe consent

Instructions on the handling of sensitive/confidential

information

Instructions on how/when to report lost or stolen

devices

Authentication policies

Mobile application usage instructions

User responsibilities and penalties for non-

compliance

Clear and Consistent rules and processes11

PEOPLE

Security and Policies for network access: Identify WHO is allowed to access the corporate

network from WHAT mobile device

Identify HOW mobile users are to access the

corporate network

Specify required authentication

Incorporate malware protection

Protect network from unauthorized

access (hacking)12

NETWORK Security

Mobile Device Management MUST include: Support for all mobile devices that your users will be

using

Provisioning to manage who is allowed to use what

Anti-virus, Anti-malware capability

Remote wipe capability

Ongoing support, upgrading, etc

Device location tracking

Manage and control mobile devices and

usage13

DEVICE MANAGEMENT

Data Risk Analysis for your Mobile Apps: Identify the data that will be used by the mobile app

and characterize its sensitivity

Map out processes for mobile users

Minimize sensitive data on the mobile device

Identify the risks of exposure for all sensitive data

Implement data protection measures to mitigate risks

Minimize risk while maximizing operational

effectiveness14

RISK ANALYSIS

Protecting Sensitive Data: Do not count on device security to be enough!

Application-level ENCRYPT ION of all sensitive data

BOTH during Over-the-Air transmission AND At-Rest

on the device is required

AUTHENTICATION of authorized mobile users is

required for access to enterprise mobile apps and

data

No clear text storage of passwords or other

authentication criteria

Make it extremely difficult / impossible to

hack data

15

DATA PROTECTION

• How it can help:

Visually hiding data

Encrypting data (at rest, over-the-air)

Requiring Authentication for access

Transferring data real-time, removing it from the

mobile device

• Considerations:

Data is in an electronic format

Must be encrypted within the software16

Using technology securely

• Nurse capturing patient data

Form and clipboard – free text, easy to be seen

Mobile device with electronic form – encrypted

text

• Military personnel performing an Armory

inventory

Spreadsheets and clipboard with part-codes and

quantities in free text

Mobile device with barcode scanner and coded fields

Technology can be used to assist in the

protection of data

17

Examples…

• Authentication of users

• Incorporate an idle timer application lock

• Encryption of all data at rest

• Encryption of data transferred over the air

• Good error handling

• No dependence on untrustworthy code

18

Components of a secure app

• Browser Based Vulnerabilities Security varies depending on browser Many more browser options available on

smartphones With much more data caching and local storage,

browsers now accessing much more sensitive data

Email client, CRM and other systems could be exposed

Browsers are the major attack point for hackers Browser providers must agree to adopt industry

standards that have yet to be approved New standard not due until 201419

Security Issues With HTML

• Browser Attack Points Cross Document Messaging, Local

Storage, Cookies Issues with HTML4 and JavaScript remain

in HTML5 Abuse of DNS and insecure of of API could

leave website vulnerable Flawed input validation, client side

validation syntax issues

20

HTML 5 Holes

• According to a recent report on Security Predicitions and Trends by Watchguard.com, HTML5 will be under increased attack in 2012.

“… the security of HTML5 applications is still dependent on the skill and care with which developers create them. HTML5 is new and complex … Developers are still getting comfortable with it, which means they are likely to make programming mistakes that could translate into web vulnerabilities. Increased usage of HTML5 will significantly contribute to the continued increase in web applications attacks next year."

21

Predictions

Mobile Reach Splitware Mobility Platform:• Security built into the foundation of the platform

• Data transferred and at rest is encrypted via AES256-bit

encryption

Easy to scale / add other encryption algorithms

• All software built in-house with no 3rd party components

• Native application platform to avoid the pitfalls of HTML5

• Ability to incorporate fingerprint scanning, retina

scanning, and other device-native features

• Database protected from general-purpose device backup

facilities

• Authentication incorporated22

The Mobile Reach approach

23

Splitware Approach to Security

24

Splitware System Encryption

• What happens if a user loses his/her mobile device? Mobile apps lock requiring password; Remote wipe

• How do we prevent sensitive or confidential information from being exposed? Encryption of all data, encryption of all passwords

• How do we prevent an unauthorized user from using the device and its applications? Authentication (ideally two-factor), Idle-time locking

• How do we prevent a malicious user, application, or virus from infecting our corporate network? Network security software

• How do we protect the corporate entity from a legal situation (being sued)? Well-thought-out and documented procedures, adherence to

industry best practices25

The Mobile Strategy Checklist

• Protecting enterprise data is what’s important

• Developing appropriate rules and procedures that

complement your mobile processes and the needs of

your mobile workforce is critical

• Understand the real risks of your mobile solution

and focus security measures on those risks

• Avoid using HTML5 for mobile apps that require

high security

• Avoid the tendency to implement security procedures

just for the sake of “security”26

Summary

For a copy of the presentation, more

information, or to request a product

demonstration, please contact Bob

Silver.

Bob Silver: bsilver@mobilereach.com

919-336-2500, ext 109

27

Q&A

• Mobile Reach Enterprise Mobility Webinar Series

Building Mobile Apps in Minutes

Analyzing and Implementing Effective Mobile

Workflow

Why Native Apps are the right choice for

Enterprise

Addressing Mobile Application Security

Developing an Enterprise Mobile

Strategy

August 2012

28

Thanks for Joining Us!