A Recipe to Reduce Mobile App Security Risk


flexeraimgAs businesses roll-out their BYOD strategies, most CIOs and CEOs have no idea that many of the mobile apps allowed to touch corporate systems and data engage in risky behaviours that could compromise data security and policy. This danger was underscored when a free app – Flashlight, secretly recorded personal user information such as location of phone and details of the owner, and sent it on to advertisers.

In fact, an alarming percentage of mobile apps being used within the enterprise are able to access sensitive device functions, or otherwise exhibit behaviour that may pose security risks to the organisation and violate Bring Your Own Device (BYOD) policies.  Without understanding what these apps do and how, organisations are at risk.

The Application Readiness Process
In the enterprise, ensuring employees have access to authorised and approved apps is a big challenge.  Public app stores make getting apps easy and tend to be the first place employees turn when they need apps to increase their productivity, but as Gartner warns, “Apps downloaded from public app stores for mobile devices disrupt IT security, application and procurement strategies”.

To protect data and meet employee expectations of easy access to apps, enterprises need to provide well-curated app stores with apps that have been tested for application compatibility and conformity to corporate policies.  The speed at which new apps and updates can be tested and made available will be a deciding factor in encouraging employees to turn to your enterprise app store first.

Many organisations already have Application Readiness best practices and automation to manage their existing Windows desktop applications. That Application Readiness process consists of the following steps:

  • Identify applications: To avoid app compatibility issues and streamline the process, IT departments must first identify all of the applications that are deployed across the organisation to get an accurate picture of the effort that will be involved in supporting the applications that run the business.
  • Rationalise – validate and eliminate redundancy: IT departments must verify the need to continue to support certain applications and rationalise all of the products and versions deployed. In addition, consolidating targets to a reduced number of products and versions not only saves time and cost around the migration, but also enables the company to reduce wasted IT spend on unused applications.
  • Determine compatibility for the target environments and packaging formats: IT departments can reduce some of the effort of supporting applications by first determining whether or not those apps are compatible with the existing environment. This includes testing applications against the operating system, the browser, and the hardware. It also involves testing against other applications that will be running with them in the new environment, and testing for compatibility with the operating environment.
  • Plan resources required: Enterprises must consider hardware requirements, software requirements, and potential conflicts between the operating system and application to accurately calculate costs and duration timeframes.
  • Package and test for target environments: Enterprises need to deploy applications to multiple environments, such as on-premise, virtual/cloud-based environments and mobile. Ideally, a package-once, deploy-anywhere philosophy presents the best approach.
  • Publish application for deployment: Once IT departments have identified all of the apps deployed in the organisation, determined and verified which products and versions of the app can and should be migrated, and tested the apps in multiple environments, they can then hand off the packaged applications to the deployment system for delivery to end users. Some organisations create enterprise app stores to give users iTunes-like access to its business applications. If the app store is also tied on the back end to software license optimisation processes, IT makes sure that users enjoys the benefits of self-service while still maintaining continual software compliance, financial accountability and control.

Standardising and automating the Application Readiness process for physical, virtual, and mobile apps enables more agile releases and consistent quality.  Automating the entire process from request to installation of apps on the employees device, ensures a better user experience and removes the possibility of manual errors and delays  from the process.  Keeping software current not only reduces risk from threats, it also keeps employees happy and helps reduce their dependence on “Shadow IT.”

Applying Application Readiness Principles to Mobile Apps
Seemingly harmless, everyday apps that abound on every employee’s mobile device could pose security risks for the organisation. This is because mobile operating systems include APIs that apps can use to access potentially confidential, proprietary or sensitive data, like contact lists, photos, and calendars. In addition, apps could access corporate social media accounts accessible on the device as well as built-in hardware features like GPS, camera, audio recorder, etc.  In fact, many apps have undocumented features that could be used for malicious or harmful purposes.

The risk to organisations is high, because most IT teams don’t have the same insight into and control over mobile app behaviors as they do with traditional enterprise software.  Therefore, it’s essential that they adopt the same best Application Readiness practices and processes to prepare mobile apps for delivery, as they do with desktop and other applications.

Through Application Readiness automation, IT can gain essential insights into mobile app behavior. For instance, application reputation scanning, which examines app properties and configuration, determines the mobile device features that the app uses and will issue a report that can be used to establish policies that define which behaviors are risky. These policies can then be used by the Application Readiness solution to automatically identify risky apps, allowing IT to manage them appropriately.

Identifying and effectively managing risky mobile apps not only minimises risk but also enhances the user experience. Employees can use authorised apps with confidence, knowing they’ve been thoroughly vetted. Security officers will have greater confidence that danger has been averted by avoiding apps that exhibit risky behaviors, or by eliminating those risky behaviors before they’re allowed access to the corporate network.

Existing Teams Understand Process of Reducing Risk
Many organisations add new teams to deal with mobile apps and app security. However, existing teams should have all the experience necessary. IT organisations that already leverage Application Readiness best practices, processes and technology to safely and reliably deploy enterprise desktop apps can extend these same processes for mobile apps. Adding mobile apps simply involves extending the familiar process to additional formats, operating systems, and deployment solutions such as mobile device management systems.

Even the most innocent mobile apps can pose tremendous risk to organisations unaware of how their design and function can access sensitive data and, potentially, disseminate that data in violation of BYOD policies. By taking a comprehensive approach to managing the entire enterprise application lifecycle – including mobile apps, organisations can leverage existing staff, expertise and technology to test mobile apps, understand their threat potential, and take appropriate measure.