This week, Accenture released a report entitled “Growing the Digital Business: Spotlight on Mobile Apps.” Accenture found that organizations see a high demand from customers for mobile apps, but that only half of those queried feel that mobile apps can be adequately secured. Indeed, virtually half (49 percent) see security as the biggest challenge.
One company is taking steps to address the inherent insecurity of mobile apps. The Wall Street Journal reports that Facebook is working on an approach in which responsibility for security on Android devices is taken out of the hands of the OS:
Instead of relying on a potentially outdated or buggy mobile operating system or browser to provide security when the Facebook app communicates with the application server, Facebook relies on transport layer security code downloaded with the app itself, Facebook CSO Alex Stamos told CIO Journal. TLS is designed to prevent a third party from eavesdropping or tampering with messages. The idea is to make the application itself more secure, regardless of what the operating system is doing.
That seems like a prudent approach: If securing the mobile OS isn’t possible, simply refocus on an area that is, which may be the app itself.
An interview at BetaNews with Gert-Jan Schenk, the vice president for EMEA at Lookout, shows how dicey the mobile app security sector is for the enterprise. A particularly sensitive area is jail breaking. It is proving near impossible to separate mobile work in general from BYOD work structures, so it’s difficult to ensure that workers are not using jail-broken phones.
Schenk used iPhones to illustrate his point:
Jailbroken devices create a major enterprise risk given their ability to run apps developed outside of Apple's review, which may be malicious or contain vulnerabilities. Jailbreaking removes the normal signing certificate checks that prevent these apps from executing and gives them unrestricted access to the device, including the ability to use undocumented APIs that Apple otherwise prohibits. These private APIs can empower apps with a wide range of dangerous capabilities on jailbroken devices, such as the ability to install or launch additional code or collect location data without notification.
Schenk added that phones often require security settings to be lowered in order to jail break them, which is yet another security challenge.
The world of mobility changes at lightning fast speed. A very important step for the enterprise will be to ensure that mobile apps are reasonably secure. This extends to consumer apps and those used by employees through BYOD and on devices that access external wireless networks.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.