Tips for testing your mobile app security

Wherever an app originates from, it is vital that you can vouch for its security before it is circulated

The enterprise has gone mobile and there's no turning back. And while the BYOD movement has received plenty of attention, IT departments are getting a handle on the security risks of personal mobile devices in the workplace. The next challenge is "bring your own application" (BYOA), because many public app stores have serious malware problems.

Enterprise app stores could be the answer. Gartner is predicting that 25% of enterprises will have their own app store by 2017. This will enable companies to push out apps more efficiently, it will be a major boost for mobile device management, and it could offer a secure, automated process that will work equally well for apps developed in-house and curated applications from third parties. Wherever an app originates from, it is vital that you can vouch for its security before it is circulated.

[ ANALYSIS:Enterprise application store: There's one in your future]

Broadly speaking, there are three types of mobile apps:

  • Native applications -- Written for a specific platform, native apps will only run on supported devices. This means an iOS app will only run on the iPhone, for example.
  • Web applications -- Any mobile device can access a Web app because they are built using standards like HTML5 and effectively housed online. The mobile app is often little more than a shortcut to the Web app.
  • Hybrid applications -- a Web-based user interface may have a layer of native application around it in order to get the best of both worlds.

Companies are increasingly opting for the hybrid approach so they can cover a wide range of platforms, but also leverage the hardware capabilities of different mobile devices. Gartner analysts suggest that more than 50% of deployed apps will be hybrid by 2016. [Also see: "What enterprise mobile apps can learn from mobile games"]

As you may imagine, each type of app requires specific testing. In each case you'll need to consider how to protect data as it travels across mobile networks. There's always a split between what is actually deployed to the mobile device, and the central processing or data storage that's deployed to a server. There's a range of software out there designed to assist your IT department in testing an app's security.

To cover all the bases and ensure effective penetration testing is carried out, your best option is to engage a third-party organization with the right expertise. They will put your app to the test, approaching it as a real attacker would -- with no regard for how the system is intended to be used, just a determination to breach it.

Tips for testing vulnerabilities

There are many potential weak spots in mobile apps. Knowing where they are can get you off to a good start.

  • Data flow -- Can you establish an audit trail for data, what goes where, is data in transit protected, and who has access to it?
  • Data storage -- Where is data stored, and is it encrypted? Cloud solutions can be a weak link for data security.
  • Data leakage -- Is data leaking to log files, or out through notifications?
  • Authentication -- When and where are users challenged to authenticate, how are they authorized, and can you track password and IDs in the system?
  • Server-side controls -- Don't focus on the client side and assume that the back end is secure.
  • Points of entry -- Are all potential client-side routes into the application being validated?

This is only the tip of the iceberg in terms of comprehensive security testing for mobile apps. Factor in the peculiar demands of compliance in your industry, because it is vital that you meet the right standards for regulations and mandates. The majority of internal IT departments are simply not equipped to carry out the rigorous testing that's required to pass a mobile app as safe. [Also see: "Hardening Windows 8 Apps for the Windows Store"]

It's also worth knowing that you can't just test an app and forget about it. If you frequent the developer forums for all of the major mobile platforms, you'll find that new security threats are emerging all the time, and it takes effort to stay abreast of the situation and take the necessary action to keep your apps and systems secure.

Towerwallis a data security services provider in Framingham, Mass., with clients including Bose, Middlesex Savings Bank, Raytheon, Brown University and SMBs. You may reach her at michelled@towerwall.com.

Read more about anti-malware in Network World's Anti-malware section.

Join the PC World newsletter!

Error: Please check your email address.

Tags mobile app securityNetworkingwirelessIT managementmobile appsbring your own applicationenterprise mobile appsconsumerization of ITBYOABYODenterprise app storeGartnermobile app security testingsecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?