A Developer's Perspective on Mobile Security in the Age of BYOD

With the cost savings of BYOD continuing to lure organizations to adopt this approach, the number of companies allowing employee-owned devices is still on the rise, as well. In early 2015, Tech Pro Research announced that 74 percent of organizations either already allow or were planning to allow employees to bring their own devices to work. At the time of this writing, that percentage may be even higher.

Much has been written in the business world about the need for organizations to establish policies and plans for worker-provided devices - and to segregate, manage, and secure corporate assets on them. Among the dangers, as the technology media frequently broadcast, are the applications that are the lifeblood of any mobile developer. It does little good for a developer to expend thousands of hours - and enormous sums of money - developing and testing a gorgeous, brilliantly functional app if security ends up being an issue. 

Business and workforce apps, in particular, are held to a higher standard in terms of security. It only takes one flaw to be exploited and make headlines for a third-party developer’s reputation to be ruined and the firm’s client base decimated. For organizations developing in-house business apps, the challenge can be even more daunting. Many may not have the on-staff talent to stay abreast of emerging cyberthreats and app exploits, let alone address them during the development and testing cycle. 

In this article, I'll explore the current landscape and offer some best practices that developers - both third-party developers and corporate teams - can adopt to foster security and confidence in their mobile apps.

While targeted mobile app malware is generally built by criminals intent on wreaking havoc, legitimate apps are deeply problematic as well. Cybercriminals continually seek out vulnerable software, hoping to exploit its flaws. App development companies play into these criminal’s hands every time their teams inadequately or inappropriately test their software. The situation is so bad that the U.S. Department of Homeland Security (DHS) reports 90 percent of security incidents result from exploits against defects in software design and/or code.

Furthermore, in early 2016, researchers at Sentrant Security announced they had found hundreds of infected apps with fraudulent, invisible ads in the Google Play Store. Many of these were legitimate but vulnerable apps that had been hacked, possibly by inserting the ad fraud code directly into an advertising SDK and then rebuilding the SDK. 

In case you haven’t heard, fraudulent background ads are a huge problem in the mobile world. Fraudulent ad detection service Forensiq performed a study of pre-screened apps at legitimate app stores and found 5,000 of them to be infected with fraudulent ads. These ads ran constantly in the background, not only siphoning off $850 million from advertisers who paid for the “ads” to be displayed on user devices, but also slowing down users’ phones, eating up data allowances (as much as two gigabytes per day), and diminishing the user experience, overall. 

These incidents are not isolated, and I predict they will become much more prevalent. As a result, security-aware organizations will become increasingly cautious, and many may implement policy-based security scans to root out defective software. Any app with even a whiff of vulnerability will be stricken from the “approved” list and the developer will lose a customer. If an app found to be defective was developed in-house, the software teams working on them will certainly suffer consequences, as well. 

Orasi recommends that companies that develop in-house apps take a proactive, holistic approach to app security during the development and testing stages. The same approach, we believe, is vital for third-party app developers that wish to succeed in this perilous environment. Prudence and best practices dictate that app developers adopt a comprehensive approach to security, one that addresses concerns regarding the devices, networks, and servers of companies that need to protect and secure corporate and intellectual assets.

Many of the software team leaders with whom I speak currently have developed and are maintaining only one in-house mobile app. While they may be considering developing additional apps in the future, like any small developer they struggle to reconcile the cost of security testing and other programs with the need to minimize vulnerabilities. 

A number of mobile application software vendors have developed robust testing platforms, but purchasing them is out of reach for all but the largest enterprises. Fortunately, a number of firms now offer what equates to testing as a service (TaaS) - cloud-based testing platforms that enable organizations of all sizes to purchase sophisticated security testing in blocks of time or by subscription, rather than purchasing expensive licenses. 

One such example is HPE Fortify on Demand for Mobile, which sells its services in “assessment units.”  For organizations that are interested in or proponents of crowdtesting, another budget-maximizing strategy is to purchase security services as part of a crowdtest package from firms such as Applause.  

This approach makes it possible for even the smallest developer to perform best-practices security testing for mobile apps and generate validation reports that prove security is important to their process. Larger organizations benefit from this approach, as well, since they pay for only the amount of security testing they need, and per-app costs generally drop as volume increases.

Of course, mobile app security testing is only one element in a successful strategy for developing secure mobile apps. A more comprehensive approach will also address quality assurance (QA), performance validation, business service automation and management, user experience, device compatibility, and other important processes. However, building security into the development process with a formal testing program is a key first step to achieving the trust and approval of the corporate community.

Consider the following checklist to ensure effective testing of mobile applications.

- Test mobile applications dynamically in full and operating configurations.

- Tests should incorporate all three tiers of the mobile stack—client, network and server components.

- For best results, perform both dynamic and static tests of mobile applications.

- Although automated testing offers substantial benefits in terms of efficiency, when testing for security, manual testing should be a supplement for both dynamic and static testing. 

- For mission-critical security testing, organizations should consider using white hat hacking firms to look for advanced vulnerabilities.

- When implementing a proactive security management effort, app developers should evaluate appropriate policies and best practices - and then apply those guidelines across the entire application lifecycle.