The Risky Business of "Roll Your Own" App Security
Blue Cedar | Oct 30, 2017
Enterprises are increasingly looking to mobile apps to help them increase core business process efficiency, engage more directly with customers, and extract added value from their digital transformation initiatives. Enterprise mobility has been a hot topic for the past couple of years, with some envisioning the mobile app interface as the face of the future for most organizations.
But it’s a long way from enthusiasm to enterprise-wide adoption. So what’s standing in the way? In a word…. security. According to the Ponemon Institute, 79% of respondents in the 2017 Study on Mobile IoT Application Security say that the use of mobile apps significantly increases security risk. Securing mobile apps is never easy, and app security often takes a back seat to ensuring that mobile apps are ergonomic for their end users. While app developers are generally experts in building engaging, user-friendly apps, they are not always experts in nuances of security, such as knowledge of the latest revisions of a secure network transmission protocol or certificate validity.
Mobile App Security Is Different
Securing applications is different than securing networks. Traditional computing security focuses on preventing malware, phishing, and advanced persistent threats. Security measures for networks and other systems are well defined. But mobile app developers have a lot more to consider. Besides the app code itself, they must take into account authentication schemes, encryption, network connections, data transmission, access to back-end storage, APIs, and devices that are increasingly powerful, and outside the control of the corporations whose apps run on them.
Application security—mobile or otherwise—is more challenging than device security, because software has many more exploitable “holes.” The Open Web Application Security Project (OWASP) , an open community focused on improving the security of software, creates an annual list of the 10 most critical web application security risks. These include injection, cross-site scripting (XSS), broken authentication and session management, insecure direct object references, cross-site request forgery (CSRF), security misconfiguration, failure to restrict URL access, insecure cryptographic storage, insufficient transport layer protection, and unvalidated redirects and forwards.
Many of the most popular apps contain one or more of these high-risk security flaws. In 2016, the mobile app-testing organization NowSecure analyzed more than 400,000 apps on the Google Play store and found that 10.8% of all apps leak sensitive data over the network—such as a user’s name and credentials, GPS data, and the device’s media access control (MAC) address. Nearly 25% of all mobile applications have at least one high-risk security flaw. And business apps were found to be three times more likely to leak usernames and passwords than the average app.
Encryption is Essential
One of the primary reasons for data leaks, unsafe data storage, unsecured data transmission, and hardcoded passwords and keys is the failure to implement encryption correctly. Encryption is more difficult in the mobile environment, where apps generally connect to a server to operate functionally. But when enterprise mobile apps connect to, process, or store sensitive corporate data, local app-level encryption on the device is essential.
Many developers try to “roll their own” encryption, but encryption is so complex that there are countless opportunities for failure. A report on mobile trading app security found that more than 60% of Android and iOS mobile apps failed to validate SSL certificates, left sensitive data in the logging console, failed to store data securely, or contained hardcoded secrets. Even worse, more than 95% of these apps did not detect whether they were running on jailbroken or rooted devices or didn’t support privacy mode.
When security is so critical to a business, why are app vulnerabilities so prevalent and so overlooked? One reason is cost. Building security in from the beginning and testing throughout the development process is costly. According to an IBM Development Solutions white paper, fixing security bugs in production software can be 30 times more expensive than addressing them during development. Another reason is the fear that security will impede performance or compromise usability. If a mobile app is slow or cumbersome to use, people abandon it. Manually adding security measures after the app is completed can create compatibility issues.
Problems can delay delivery of an app or require expensive rework—both undesirable. Keeping security measures updated can be problematic if the rest of the app doesn’t need a rev. Finally, the pressure to deliver an app quickly can make it more tempting to avoid the hard work of securing it correctly.
Seamless Mobile App Security Without Tradeoffs
You can actually add comprehensive enterprise-grade security to mobile apps without compromise—or hand-coding. Blue Cedar lifts the burden of mobile app security from the app developer. Its patented, injectable security technology lets you secure already developed apps automatically. Simply upload the app, choose the policies you want, and the app is secured—no coding is required. Developing new apps? Integrate Blue Cedar security functionality using RESTful APIs without having to change software development lifecycle (SDLC) or user acceptance testing (UAT) processes.
In just a few minutes, Blue Cedar injects a full IP stack, IPSec client, secure web stack, and FIPS-compliant encryption into each mobile app. We make it seamless to enforce app-specific authentication, data sharing, and device posture policies, and security follows your apps everywhere they are used, regardless of their platform.
Blue Cedar-secured apps are simple to download from an enterprise or public app store. Security policies are transparent to end users. Whether data is at rest or in motion, it’s protected without affecting the user experience. New capabilities, such as code obfuscation and anti-tampering features, prevent reverse engineering once the app is deployed.
With Blue Cedar, there’s no need to “roll your own” security. You can have the best-in-class mobile app security you need without having to become a security expert.