(Continued from Page 2)

Step 3: Developing Your Own Apps? Scan the Code for Security Vulnerabilities

Many organizations are now developing and launching their own mobile apps as a new channel for acquiring, communicating with, and doing business with customers. These apps often provide an authenticated mechanism for accessing priveliged resources such as company databases. The risk here is that developers can inadvertently introduce security vulnerabilities when developing custom mobile apps for organizations – often because they are new to the platform, inexperienced with security issues, or unaware of the possible risks.

Even experienced mobile developers can make these kinds of mistakes. Just last week, it was discovered that Facebook's iOS and Android apps are neglecting to encrypt their users' login credentials, leaving usernames and passwords easily accessible on the device for hackers to harvest.

According to the Open Web Application Security Project (OWASP), the ten most common mobile security development risks and mistakes are:

  1. insecure data storage
  2. weak server-side controls
  3. insufficient transport layer protection
  4. client-side injection
  5. poor authorization and authentication
  6. improper session handling
  7. security decisions via untrusted inputs
  8. side channel data leakage
  9. broken cryptography
  10. sensitive information disclosure

Zach Lanier, principal consultant at Intrepidus Group and one of the researchers who worked on the OWASP study, says that almost every app that he reviews has something to be concerned about from a security perspective, and half have serious security problems.

"We see plenty of Fortune 100 companies with internal developers that make serious mistakes," Lanier says. "The problem is often that you have web developers making mobile apps, and they have a lack of training [on mobile platforms]."

Lanier says that all of the top 10 risks listed above are common. "For example, we often see things like broken crypto in an app. Developers often try to roll their own crypto, or they make a mistake like hard coding the key into the app so that it can be used offline."

To minimize these risks, companies that develop their own apps should engage a mobile security consultancy that was not involved in the development process – an "external pair of eyeballs," as Lanier puts it – to check for security vulnerabilities.

Mobile app security audits are offered by many security consulting firms, including:

Step 4: Conduct a Company-Wide Mobile Security Audit

No comprehensive mobile security strategy is complete without an audit that examines your mobile infrastructure, devices, and apps to identify current weaknesses and help guide your organization's next steps.

A typical security audit methodology might include:

  • Evaluating your organization's overall mobile infrastructure;
  • Conducting penetration tests on your mobile clients and the servers that control them;
  • Assessing the security of your mobile devices and apps to determine their susceptibility to data breaches;
  • Evaluating the gap between your current policies and procedures and known best practices.

Mobile security assessment services are offered by many security vendors, including:

Paul Rubens is an award-winning technology journalist who has been covering IT security for over 20 years. He has written for leading international publications including The Economist, The Times, The Financial Times, The Guardian, the BBC, and Computing.