NIST has published draft guidelines (Technical Considerations for Vetting 3rd Party Mobile Applications (Special Publication 800-163)) to help guide organizations on how to check over third party mobile apps before they allow them for use in their environment. The document contains a wealth of information and advice on how organizations can approach the tricky problem of deciding whether certain mobile apps should be allowed or not. This report comes at a time when many organizations are struggling to get to grips with mobile device related security problems posed by the growth of BYOD and the challenge of increasing use of employer provisioned mobile devices. As the boundaries between business and personal use becomes blurred, it opens up a Pandora’s box of security issues that need to be dealt with and one of those challenges is managing the apps on the devices. We are all humans after all and don’t just want to run business related apps when there are so many other useful and fun apps available to download and use.
The use of mobile apps is one of the joys of using a modern mobile device. It is such a competitive issue that vendors like Apple and Google (Android) slug it out in their marketing over the number of apps available in their app stores. In more recent times, the focus has shifted away from just the number of apps to other parameters such as the quality of apps and user engagement, which probably has a greater impact on the end user experience than just the sheer number of apps available. While the use of mobile apps is an attractive proposition for end users and often a necessity for organizations, their use does need to come with a serious health warning.
We have seen time and time again that a significant proportion of mobile apps on the market do not follow best practices when it comes to information security. For example in recent research by Security Response looking at the security of popular health and fitness apps, we found that many mobile apps do not securely handle user credentials and actually compromise user or device security and privacy in various ways. We’ve also seen many mobile apps that can unintentionally leak other personal data because of how they execute their functionality. Mobile apps also have their fair share of exploitable vulnerabilities which could allow attackers to steal information and perform other malicious activities. Other risks to security may include unwanted activities such as accessing premium rate services, click fraud, virtual currency mining, and other undocumented features like back doors.
Security problems that are found in many apps could afford an attacker many avenues to perform malicious attacks. Many corporate provisioned mobile devices have access to systems and information that are private to the organization. An insecure app (whether developed in-house or by third parties) could be exploited by attackers to gain access to private information or resources provided by the organization. Because of these risks, if users introduce unverified apps into a secure environment, they could be jeopardizing not only the security of the device itself, but the organization itself. Therefore assessment and control of third party app usage is crucial for organizations to focus on as the world goes increasingly mobile.
For any organizations that are involved with BYOD programs or provisioning mobile devices for their employees, the information contained in this draft of the NIST report offers some sensible pointers and information on how to go about checking mobile apps before use and is well worth a look.
How Symantec can help
Symantec can also help organizations face the challenges of mobility. The Symantec Mobile Management Suite can help organizations deploy, secure and manage large numbers of mobile devices like smartphones and tablets, providing organizations a secure and flexible way to bring the power of mobility to employees. With the Symantec Mobile Management Suite, organizations can perform mobile device management (MDM) activities such as managing mobile apps, single sign-on, securing data and email, protecting against mobile malware, and much more through a single integrated solution.
In addition, the Symantec Sealed program is a pioneering new service that allows mobile app developers to easily integrate and leverage enterprise grade security into their apps without having to implement security themselves. App developers simply build their app as usual and then use our tools to wrap their app to enable a range of security features without any additional coding. With Symantec Sealed, app developers can focus on what they do best: building the core functionality of their apps and then letting Symantec wrap security around it afterwards.
For more information, please visit our microsite dedicated to Symantec’s enterprise mobility.