The recent “watering hole” attack against iOS devices, uncovered by Google’s Project Zero team in February of this year, will likely remain in the collective conscience of mobile device users for some time.
“The rare and intricate chains of code took advantage of a total of 14 security flaws, targeting everything from the browser's ‘sandbox’ isolation mechanism to the core of the operating system known as the kernel, ultimately gaining complete control over the phone,” said WIRED.
“Based on the information Project Zero has shared, the operation is almost certainly the biggest known iPhone hacking incident of all time,” added WIRED.
Because this breach occurred at the operating system level, app-level data could have been breached. Here’s why: enterprises that pass data through their own applications on a compromised device could also have their data breached, if proper security measures at the app level are not taken.
Unmanaged personal devices accessing corporate data pose the biggest risk of breach in an attack such as this. That’s because no additional security measures at the device or OS level – such as an MDM profile – have been put in place by the enterprise. In-app security is necessary for corporations to protect their data pushed to mobile apps. Without it, even breaches smaller than the breach in question could exploit sensitive corporate data.
The question every enterprise should be asking is: “When breaches like this occur beyond our circle of influence, how exposed are our applications and our data, and how can we close the gap?”
The Challenges of Immunizing Apps
When hacks such as the above occur, if your app does not have its own security, separate from the device and OS, any device hacks can also compromise corporate in-app data. That’s why Blue Cedar stresses the importance of “immunizing” apps – that is, integrating security controls into those apps. But integrating that security is not always easy, and while time to secure can be excessive when done manually, it’s usually exacerbated by two factors:
- Securing an app is not a one-time process. Every time the app, OS or 3rd-party libraries used by the app are updated, the app must be secured again. This can be a massive burden for enterprises with large app catalogues.
- Securing by hand is tedious and must be exact. Even one missed API callout could be the hole a cybercriminal needs to breach a company’s database.
The Constant Nature of Updates
Beyond the initial securing process, apps must be re-secured with every update. And as technology continues to move faster and faster, so do update cycles. Integrating security can place a huge drain on developer resources. Because of the huge cost and time commitment to update apps, many internal-facing apps are left dated and clunky, with enterprises opting only update apps when necessary, sacrificing innovation. However, allowing security integrations to lapse when updates occur can leave corporate data vulnerable to breaches.
The Human Element
People who are skilled at developing apps are not necessarily skilled at integrating security controls into those apps. Manually integrating security can introduce human error, even for the most experienced of security developers. If even one API callout is not properly secured, the app can be vulnerable to cybercriminals who are looking to exploit such oversights. Beyond the risk of human error, skilled developers often greatly prefer innovating and developing apps, over tediously securing them.
The Solution to Overloaded Developers and Tedious Manual Integration
When updates occur but developers are busy, who’s available to handle the relentless rush of security integration projects – knowing that securing a single app can take up to five weeks? The short answer to this labor challenge: automation. Mobile app development teams looking to shorten development cycles and secure apps quickly must automate the tedious process to boost efficiency and reduce human error. The Blue Cedar platform immunizes applications by quickly integrating in-app security that protects personal data without requiring manual coding. For every update across every app, operating system and SDK, Blue Cedar can reintegrate security with one click, saving developer time and IT budget.