Vijay Dheap currently leads Mobile Security Solutions for IBM. He started off his career as a researcher in the field of Pervasive Computing, and then evolved his technical expertise as a developer on IBM’s mobile portal product. He transitioned to an analyst role gaining experience formulating IBM’s technical and business strategy for emerging technologies such as Web 2.0, Big Data and Mobile as a member of IBM’s Emerging Technologies Team. He joined IBM’s newly formed Security Division as a Product/Solution Manager. He has significant international experience having led several customer engagements on four continents. Vijay earned his Master’s in Computer Engineering from University of Waterloo, Canada and his International MBA from Duke Fuqua School of Business.
Mobile apps are quickly becoming the dominant interaction pattern for users of smartphones and tablets. A report by comScore highlighted that “82% of time spent with mobile media happens via apps”1. Browsing behavior of mobile users is taking place within app stores and they are leveraging the apps to perform specific tasks or access information. For enterprises this means that mobile apps become not only the primary means to engage consumers but also to connect with partners and empower employees. As enterprises ramp up their mobile app development efforts a new level of attention needs to be paid to defending these apps.
The security risks enterprises face when deploying mobile apps include data disclosure, malicious data injection, tampered app logic, broken cryptography, among others. An enterprise app can encounter attacks of this sort from malware on the mobile devices or by malicious users who have either stolen or hijacked the mobile device.
Several recent reports have put the spotlight on the continued rapid growth of malware and exploits targeting mobile devices2, 3. The implications of this for mobile apps is that developers have to in fact begin with the assumption that the device on which their apps will run might be compromised, particularly on the Android platform. Given the popularity of Android4 developers cannot just stop serving this market therefore they must begin employing techniques that will raise the security posture of their apps.
One of the primary approaches to security has been to detect and catalog different forms of attacks so that countermeasures can be devised. The irony of this approach is that the ability to defend your mobile app is indirectly tied to success of the attack. When an attack spreads it becomes more easily detectable. Given the infinite number of potential attacks this approach does not scale and it is next to impossible to be anything more than reactive. Emerging trends also point to attacks that are more targeted and significantly harder to detect further eroding the effectiveness of this approach. As you may heard, only recently has a malware called Flame came to the attention of security researchers possibly many years after it was first released. It was sophisticated enough to selectively pick its targets and even erase itself after extracting the information it wanted. In addition, organizations may not even have the visibility to deliver or enforce detection of known attacks, especially on devices used by consumers or partners.
The question becomes – how can organizations be more proactive in delivering safe mobile apps that mitigate the risk to trust relationships these organizations have forged with their employees, customers and partners? Instead of focusing on the inbound attacks and trying to counter them one at a time, imagine if we could remove vulnerabilities within the mobile apps themselves that malware and exploits capitalize on. Enumerating potential vulnerabilities for a mobile app requires research but once armed with this understanding it becomes much easier to identify these vulnerabilities and cost effectively patch them during development and test phases. Research into vulnerabilities assesses the platform on which the app will run the frameworks the app employs and the technologies the app is built with. This ongoing research is encapsulated into vulnerability testing platforms such as IBM’s AppScan.
Stay up to date with the latest news from the Institute for Advanced Security by joining the community, following us on Twitter, and subscribing to the Institute expert blog. We love to share content from our members so please click the pencil icon to submit your content ideas!