Mobile Device Applications Security: Part 4
This blog posting is the last in a series of four on mobile device applications security. The prognosis is not good—I’ve repeatedly tried to drive home the point that there is little if any security built into these applications, with the exception of applications that utilize Microsoft’s trusted application model. Interestingly, some app stores claim that applications are “screened” before they are available through the store, but what is meant by “screening” is not clear. It appears that powers-that-be behind the Apple iTunes App Store are more concerned about potentially offensive application content within its applications than anything else. Those in charge of the BlackBerry App World appear to care mostly about weeding out applications that are likely to cause BlackBerrys to crash or hang. And Symbian’s application screening process appears to consist only of scanning for viruses and eradicating them if they are found. But even if app stores were to offer only truly secure versions of applications, bypassing the stores altogether to obtain basically the same, but less secure versions of applications that an app store offers would be easy.
If you want to take on the problem of mobile device application risk, the correct starting point is policy. Your organization’s information security policy should state whether applications on mobile devices can be used for personal reasons and whether users are allowed to download such applications, or whether they must be installed by IT administrators only. Any allowed mobile device applications should be listed on an approved products list. And you will have to back up these policies with a rigorous compliance monitoring and enforcement effort.
Just like with mobile devices themselves, you’ll need to identify threats and vulnerabilities in mobile device applications and ultimately use the data you obtain in performing a risk analysis. You will also need to select, implement, and evaluate controls. Unfortunately, at the present time there aren’t a lot of controls for mobile device applications. But you might be able to change a setting on some applications so that entering a password is required before users can use these applications. Admittedly, this is a weak control method, but it is better than nothing.
Security training and awareness offers a great deal of potential benefits in the mobile device applications security area. Users can, for example, be taught how to determine whether it is safe to download and run these applications, or, if downloading and running them is not allowed, the importance of staying away from them.
Random audits of applications for mobile devices need to be conducted to determine whether users of these devices are adhering to an organization’s information security policy and standards. After all, creating rules, but then not enforcing them if not only a waste of time, but sends the message to employees throughout a company that information security is really not so important.
So we have a rapidly expanding number of mobile devices and on them a growing number of applications are being downloaded and run. Where do you draw the line when it comes to security? I would say that currently the devices themselves need the majority of security-related attention because current attacks focus more on the devices themselves than on the applications that run on them. At the same time, however, I predict that things will change in the not-so-distant future and that mobile device applications will disproportionately become the targets of attacks. So hang on to your seat and start looking into this issue. A large proportion of attacks against conventional computing systems are against Web applications, so don’t be surprised in a few years when you discover that the same is true for mobile device applications.