A study from Ponemon Institute describes the world of mobile enterprise app security, which continues to be rather frightening. The lack of consistent policies is a danger point: Only 19 percent of IT departments have checked mobile apps brought into the enterprise through Bring Your Own Device (BYOD) work structures. Perhaps even more surprising – and distressing – is that only 22 percent of IT departments realize that scanning is important.
In a BYOD environment, apps are far more likely to originate outside the company. The dangers grow as control fades. The number of apps that people download, which can all be problematic, is startling, according to two firms referenced in the story at Forbes:
The average business user has 27 storage apps and 41 human resources apps, according to Netskope. In 2014, Americans installed an average of 8.8 apps per month, according to Flurry Analytics. Of the 461 cloud applications typically used, 85 percent aren’t enterprise ready, according to Netskope.
Author Gail Dutton adds that a consolidated corporate store that aggregates and secures apps is a good step toward meeting the challenge.
TechRepublic’s Paco Hope points out that enterprises both create their own app stores and rely on public entities such as Google Play and Apple’s App Store.
Hope writes that security response time for vulnerabilities on the public stores can be weeks long. That’s not the only issue: Third-party code incorporated into the apps (for such things as authentication and push messaging) could expose the enterprise “to unknown or unexpected legal risks.” In other words, if a data breach or another problem is caused by the app, the company likely will be liable, no matter where the bad code originated. And the mobile app functionality can shift over time and, in some cases, enable actions with which the company is uncomfortable.
Subbu Sthanu, director of Mobile Security and Application Security at IBM, used a Dark Reading commentary to explore four critical mobile app security issues. He suggests that using best practices in order to create secure apps is important, and echoes Hope’s suggestion that code from third parties be scrutinized.
Sthanu also points to the fact that the security of the mobile device itself is important. Jailbroken or rooted devices are vulnerable. It is important to install remote wiping capabilities. Finally, context and risk factor analysis is an important way to protect the organization when a mobile app is attempting to connect to backend services and databases.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.