Is There a Trojan Horse in Your App Store? Ensuring Mobile Security

Securing mobile applications from cradle to grave.

Historically, mobile security has focused on securing the device, rather than the infrastructure supporting the device. But security research shows that malware-infected applications can circumvent contemporary mobile device security mechanisms, which are not as robust as their desktop counterparts. Once the device is compromised, malware can propagate via the connected infrastructure and compromise the entire enterprise.

Feature-rich mobile apps provide a multitude of opportunities to store and leak sensitive information. Mobile applications that are not properly vetted also risk disclosing a user’s location information (through GPS or assisted-GPS). In addition, multiple radios (such as cellular, Wi-Fi, Bluetooth, and near field communication) provide information-collection and exfiltration opportunities.

Users expect public app stores to have performed security testing prior to posting the apps. However, the fact is that app stores do very little scanning for malicious content. They are primarily focused on verifying that the applications follow their business and revenue model requirements.

Complicating matters, antivirus products for mobile platforms are far less capable than their desktop brethren. Mobile OS vendors do not provide the low-level application programming interfaces (APIs) needed by third-party security vendors to perform thorough malware scans and real-time detection.

Why should organizations implement a secure mobile application lifecycle? The benefits are numerous, and include:

• Stemming vulnerabilities before they impact an organization.
  
  
• Mitigating the risk to the entire organization, rather than attacking issues piecemeal.
  
  
• Lowering costs and quickly addressing issues—the earlier you identify application vulnerabilities, the quicker and cheaper it is to fix them.

There are essentially three key steps to securing mobile devices—development; testing; and deployment and maintenance. Organizations seeking higher security for mobile applications need to develop a defined process and guidelines for a secure mobile application development lifecycle. They should also invest in a comprehensive application security training program that keeps developers current on the latest security techniques, and verifies their understanding of the material.

Accenture helps ensure organizations that their mobile apps are safe and secure. We take a vendor-agnostic approach that pulls together best-of-breed solutions for each phase of the lifecycle for a range of industries.

For example, when eBay Classifieds wanted to build new and improved mobile applications across multiple platforms—including the iPhone and Android—Accenture helped the Internet pioneer cost-effectively develop high quality, functionality-rich mobile applications.

The new eBay Classifieds app literally puts the power of classifieds in users’ hands by enabling them to:

• Browse and search any category by keyword, price or other attribute.
• Respond to any ad by e-mail or phone.
• Share any ad with friends on Twitter or Facebook, or via email.
• Keep tabs on ads with a handy “watch list.”
• Easily post ads with up to eight images from the phone’s camera or photo library.

Accenture also helped Generali France, one of the largest insurance groups in the world, develop a secure, visionary iPhone application. Seeking a way to maintain its leadership position in the upscale life insurance marketplace using the burgeoning mobile application trend, Generali worked with Accenture to develop a comprehensive design that marries visionary functionality with practical IT realities.

The first step to mobile app security is to form an enforceable development methodology using accepted industry practices. Organizations should provide convenient tools to developers to catch potential security vulnerabilities during application development. For example, they can use integrated development environment plug-ins that perform source code review and identify system API calls that may be vulnerable.

Whether organizations develop apps in-house or purchase them, they should perform thorough security testing prior to deployment. Application testing can include both static and dynamic analysis. Static analysis includes reviewing binaries for system API calls where most security vulnerabilities can be introduced. It is particularly critical to test when the application performs read/writes to the file system, accesses the network and provides output—or gathers input—from the graphical user interface.

Once applications are fully vetted, organizations should deploy and maintain them using a private app store. If possible, they should not allow users to install apps from public app stores or side-load apps.