If you’re a business in the enterprise space and have not had to deal with mobile applications much, you are likely not alarmed much by the headline. “Sure application security is important,” you’re saying to yourself, “but only for those businesses that produce mobile apps.” You’re right in saying that the businesses who are into developing apps have a huge onus to get mobile application security right. However, that’s not the complete picture. You may not realize it, but mobile apps are more pervasive than any other medium in a modern business, and it’s high time you paid attention to these.
Bring your own (hacked) device
In the race to mobility and curtailing business costs, businesses are rapidly warming up to the idea of employees bringing their own devices to work. That way, they are only “one screen flip” away from critical work at any given time. But another side of the coin is quite worrisome: what can you say about the trustability of these devices?
Pay attention that we’re not even talking about malicious intent here. Even the employees themselves wouldn’t know in how many ways their devices are compromised. Consider the case of Android, which boasts of the largest ecosystem of apps globally. A very recent news story by Wired revealed that over 900 million Android devices can be fooled into giving root access to malicious apps. What’s really bad is that this vulnerability is not limited to any specific Android version or firmware.
And if you thought that iOS is the answer to security problems, think again. As this New York Times story reveals, iOS also contains its share of unknown vulnerabilities, which keep getting highlighted periodically.
Now consider that your employees are walking in and out of the office with several of these devices, with mission-critical and highly sensitive business data residing on them. Suddenly the very thought is petrifying, no?
The grass isn’t greener on other networks
It’s not just your office premises where security compromises are made every day. With their personal devices, employees go home and plug into other devices and networks. This can be a friend’s network, or worse, an open WiFi network as they wait in a café or the airport lounge. There’s no telling how strongly configured those networks are–and chances are they aren’t–and what kind of hacks are already part of them. Suddenly, you need to worry about not just your office, but everything else out there!
Finally, consider that your own device is at risk here. Yes, the one that’s central to your business management, and contains important data, identity information, access tokens, financial data, and what not. By not taking application security seriously, you are putting more on the line than you should.
Threat Intelligence: The ‘not so shiny’ new solution
Threat intelligence is the new talk of the town. This is basically a solution that experts believe, can warn businesses of possible plotted attacks by adopting a proactive stance with constant monitoring of activities both on the network and externally.
Businesses have been doing this type of monitoring for some time already but why are attacks still widely prevalent?
Maybe there are newer advanced tools which are in production to likely be a solution or maybe threat intelligence is only a part of the solution. With every new attack that is being recorded, it is evident that nothing really beats the human intelligence.
Fight Fire with Fire!
If threat intelligence was only part of the solution and humans were able to still find their way around it, then why not create a solution with a combination of both to really ensure maximum security? This brings us to what experts call threat hunting. Businesses using threat hunting as part of their security strategy have experienced a considerable decrease in successful breaches.
According to a recent SANS report, threat hunting is a continuous process that seeks to aggressively track what is called “indicators of compromise” (IoC) through automated threat detection systems but also, critically analyzed by security researchers themselves.
It’s that human element which is able to turn water into wine by spotting anomalies, inconsistencies, and patterns in emerging data. This information can then be analyzed in detail by an ethical hacker, which then can be used to interpret and forecast events of a threatening nature. Something that is merely impossible with an automated system.
I hope we finally have your attention towards mobile application security!
“Hmmm. So how do I go about plugging the holes?” you now ask. It’s a good question, but unfortunately, it doesn’t admit a straightforward answer. Mobile application security is a big undertaking in itself, and we urge you to explore this blog to get to know what you can do at an initial level. You can, however, start with this: Mobile Application Security – 5 Critical Do’s and Don’ts
As they say, awareness is the first step to change. Welcome to the land of mobile application security, and may your apps be always rock-solid!