This post is from the Apperian blog and has not been updated since the original publish date.
7 Best Practices for Mobile Application Security
Users are downloading mobile apps from numerous app stores – some of which may not be legitimate. These rogue apps might carry malware or otherwise negatively affect business data. Additionally, even applications developed in-house can pose security risks if they’re not coded correctly, according to an article in TechTarget. Here are 7 best practices enterprises can implement for mobile application security:
- Implement security measures at the application layer. It’s up to the device manufacturers to develop more robust security settings. Doing this will let users adjust the security settings to their needs and preferences, notes security analyst Russ McRee. Users and/or enterprise managers must ensure that these features are used.
- Don’t limit tools to anti-malware. Behavioral analysis tools can also be used, McRee says. Theses tools, which are typcially free or inexpensive, “will scan your iPhone or iPad for installed apps and filter them in an ordered list based on various kinds of behavior such as location tracking, reading the address book, and battery drain,” he says. One such app from iTunes, called Clueful from Bitdefender, will tell you if you if your data is being encrypted and if apps anonymize you as a user. McRee says there are also free or low-cost tools for Android.
- Only download apps from trusted enterprise app stores. However, McRee says that’s not even 100% foolproof. Enterprises should assume that the unknown third-party mobile apps users download should not be trusted. Enterprises should restrict the use of synchronization services, and distribute organization-specific apps from a dedicated mobile application store, he says.
- Ensure the app does not save passwords. Apps that run on mobile devices should require users to enter their passwords every time they log on, says Brian Shura, president of App Security Consulting, in another TechTarget article. The app should be designed in such a way that it cannot store passwords, he says. “With desktop apps, allowing users to save passwords to speed up future log-ins is reasonable. In mobile apps, it’s not,” he adds.
- Encrypt data in transit. This is a simple step but one that is often overlooked, Frank Kim, founder of mobile application security consultancy ThinkSec, tells TechTarget. “In the rush to deliver mobile apps, developers are making a lot of the same mistakes they made with early Web apps,” he says.
- “Listen” to the traffic that flows between the mobile app and the Web server. Tools that let you view Web traffic are also good for mobile app security, Shura says. “Manually analyze the traffic and look for method calls that could be manipulated,” he says.
- Contain critical corporate data. You can use container techniques to help ensure mobile app security by downloading sensitive corporate data into a separate container in the mobile app, according to Kim. “That way, the app treats corporate as more sensitive than other data, such as pictures of your kids,” he says.