With the trend of BYOD taking root in the corporate environment, cyber criminals are seeing mobile apps as a way of gaining access to critical information. The CIO community is generally supportive of BYOD, but they advise a cautious approach in view of the security risks that are inherent in the mobile apps ecosystem
Over 75 percent of mobile applications will fail basic security tests by 2015, reveals a new study done by Gartner. Even if the app is from a reputable company, and it has been downloaded from the original app store, or directly from the employer, a lot can go wrong.
The Gartner study proves that the mobile infrastructure is complicated, connected and convenient target for cyber criminals. For most enterprises it may not be possible to place a blanket ban on the usage of mobile apps by their employees, as the apps can bring efficiency and cut costs.
When they design the overall cyber security framework for their enterprise, the CIOs have to keep in mind the issue of the potential security problems that the mobile apps can lead to.
Customised apps for the enterprise
Most apps are designed for consumers, but apps like Skype, Yammer, Triplt, WorkFlowy, Evernote and DropBox are popular with both the end users and the enterprises. Then there are the apps that allow certain level of customisation to suit the enterprise environment.
Srinivas Anappindi, Senior Vice President & Chief Information Officer – CSS Corp, says, “Apps like GHRMS (Global Human Resource Management System), GEMS (Global Expense Management System), Safe Travel, Time Sheet Management, are used internally. These apps are important as they are used by our staffs at various stages of their tenure at CSS Corp, and are helpful in processing functions like HR, admin, finance, travels and expense claims, hiring, salary payout, etc., in a faster, paperless and automated way from central location.”
Parag Deodhar, Chief Risk Officer & Vice President Program Management & Process Excellence, Bharti AXA General Insurance, expresses similar opinion.
He says, “We are using an customised app (name withheld) for employees to access emails and few internal applications on their smart devices. We are in the process of creating few more apps for the employees. This will improve their productivity when they are on the move.”
“More importantly such apps, help service our customers and partners faster as it can improve turnaround time of various processes,” adds Deodhar.
Even when the enterprise is using customised apps, the IT managers cannot afford to let down their guard. They have to define clearly which app can access what part of the corporate information. “The broader question is the extent to which corporate applications can be made available outside the corporate firewall,” says Aniruddha Paul, Chief Information Officer – ING Vysya Bank.
Choosing the right app
With so many mobile apps available in the modern app stores, it is a daunting task for the CIOs to choose one that will be best suited for meeting the needs of the enterprise. “If the app is found to be suitable, then the next task is to deploy it in a safe and secure manner through MDM (Mobile Device Management) software,” says Paul.
Deodhar of Bharti AXA agrees with Paul. “It is important for us to have a process in place to erase the confidential data in the app if the device is lost or stolen,” says Deodhar.
In Paul’s view, the MDM software allows the IT department to retain control over the app in the event of loss or theft of mobile device. With MDM it is possible to remotely erase the information stored in the device.
“As a CRO (Chief Risk Officer), I need to ensure that the apps are secure and confidential data is protected at all times. We conduct a thorough risk assessment of apps including a process review and security testing of the app and the back-end infrastructure / application with which the app communicates,” says Deodhar of Bharti AXA General Insurances.
From security aspect, most CIOs and IT managers advise that access to apps and devices should have separate passwords and those devices shouldn’t be jail broken or rooted in nature.
Dealing with the dangers of apps
Over 90% of enterprises use third-party mobile apps, which are commercial in nature, according to Gartner study. But it is from the third-party mobile apps that the organisations face maximum amount of security risks.
In recent years mobile applications are scrutinised through testing processes like SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing). Gartner points out that a new type of test, known as Behavioural Analysis, which facilitates the detection of malicious or risk symptoms when another app is running in the background on the device.
Also, depending on operating system (OS) or platforms, most of these third-party apps reach out to end users or consumers by going through applications or app stores like Google Play, Amazon Appstore, Apple’s App Store and others.
Beside the technical aspect, most third-party apps developers fail to reveal their background details such as server and data centre’s locations, country of origin and jurisdiction, ownership and privacy policy of user data and so forth. So there is a high possibility that any of these apps can go-off the internet or those app stores. This is where corporates and businesses face risks of data leakages, malware attacks, spams, hacking, cyber threats and others.
“This is a major risk not just from a data confidentiality and privacy perspective, but also from a regulatory compliance perspective. If third party and consumer apps are used in the enterprise, then the enterprise data is at risk,points out Deodhar of Bharti AXA General Insurance.
Anappindi of CSS agrees to Deodhar’s concern. He says, “We are aware of the risks related to mobile apps and cloud storage, but we have hosted several apps on the cloud and made them accessible through mobile devices with necessary security controls to enhance the enterprise productivity and the work-life balance of our employees.”
Ricky Kapur, Managing Director Google Enterprise Asia, says, “We take security seriously, and Android is built from the ground up to be very secure. We have built world-class malware protection into the Google Play store and scan every application. And if users enable it, we also scan apps that are downloaded from outside the store.”
“Less than 0.5% of Android users have installed an application with malware. We are also starting to use Play Services to deliver security updates for critical software libraries, starting with OpenSSL which is used to secure application communications including Google server communications,”adds Kapur.
In terms of user data security, Kapur emphasises that Google is focused on protecting customersdata from all unauthorised access. Google is offering its customers the facility of security tools like free two-step verification and encrypted connections between browser and servers.
Like Google, Amazon too is strictly committed to protecting the users privacy. Parag Gupta, Country Head – Amazon App Store, says, “From the time when an developer submits application to the app store to the time of its downloads, we monitor the apps from the point of view of appropriateness of content, social and political acceptance and security related issues.
“In case any inappropriate content is noticed in the app, it will be promptly removed from the market,” says Gupta. While the reputed app stores have strict security mechanisms to curb the distribution of suspicious, malicious or rogue apps, it is still possible for an app infected with risk elements to get through.
After all, the cyber criminals only have to register with the mobile ecosystem operator to write and publish a rogue mobile app. However, in most cases the infected apps get downloaded through unauthorised vendors.
Apart from the submission procedures, Amazon thoroughly check apps on the aspects of quality, content and creation and in case of its violation like content inappropriateness either it asks the developer or will directly removes that particular app.
While these app stores have certain practices and security mechanism to curb down any suspicious, malicious or rogue apps, it doesn’t actually wipe out the risk elements linked with apps.
Being a CRO, Deodhar of Bharti AXA General Insurance comments that ideally enterprise must not use consumer apps, but should use proprietary or business apps that has a contract / SLA (service-level agreement) and the provider should be subject to audit.
The server location must be known and comply with the regulations for data storage. Again, it is important to ensure encryption of any data stored in the cloud and also for data in motion. Data destruction process for such data stored with third-party must be agreed in case the company decides to terminate the contract, suggests Deodhar.
While most CIOs and IT heads agree to risks linked with mobile apps, but the fact is that BYOD, work from anywhere or mobile workforce concepts are here to stay and at the same will continue to pose unwarranted threats to enterprise security.
