By Tanu Sood on Jan 17, 2013
This blog is the third in a series of blogs regarding Mobile Security, focusing on application security and the role Identity and Access Management (IAM) can play in helping to secure mobile applications.
Mobile applications run on or are accessed from a given mobile device. Application security encompasses those measures taken to prevent a security policy exception at the application level or to expose a vulnerability of the underlying platform. Mobile applications are rapidly evolving from being narrow and task oriented, to providing complex capabilities applicable to most business functions. Applications accessed through mobile devices range from enterprise-hosted applications that are accessed through web browsers, to highly customized applications that operate natively within a mobile device and are compiled for a specific mobile platform.
Mobile application security should be considered within the context of a heterogeneous IT environment. Users expect a consistent experience, whether they are accessing an application from a mobile device at the airport, or from their laptop in the office. In particular, enterprise information systems should recognize users in the same way and support access, permissions, and password security across many devices and locations. Provisioning to mobile devices and every other type of system access should also be simple, cost effective, and secure. Effective security measures may provide adequate protection from vulnerabilities, while not impairing adoption or usability.
Understand Unique Threats: Mobile platforms have unique security challenges. These challenges can lead to data leakage or other vulnerabilities that may not have been considered when developing/provisioning applications solely for workstation or browser access, for example:
- Information can be exchanged in many different ways on mobile devices (Bluetooth, Wi-Fi, Desktop Sync, 4G wireless, etc.)
- Data can be shared among applications running on a given platform
- Mobile devices are easily lost, stolen or even shared; physical security cannot be assumed
- Applications may be accessed from vulnerable locations (e.g., airports, restaurants, etc.)
- Mobile Devices may be easily taken “off network,” limiting the usefulness of typical security remedies such as remote data wipe or lock
- Differences in device management strategies (e.g., bring our own device vs. enterprise-provided devices)
Mobile application security strategies should account for multiple platforms, as each platform comes with its own set of vulnerabilities. Platforms are rapidly evolving, and thus enterprise mobile security strategies must be proactive in identifying and mitigating new threats as they emerge.
Implement Broad Application Security from the Start: An enterprise should define and communicate the enterprise policies and processes for managing mobile applications up front, and revisit them frequently. Policies can include areas such as device usage, data handling, user provisioning, network access, encryption, application downloading, purchasing and development. Once these policies and procedures are defined, the enterprise should identify and implement technologies that can enforce them.
In-house mobile application development capabilities are evolving, and secure Systems Development Life Cycle (SDLC) methodologies for mobility are not widely deployed. The application development/procurement process should consider how applications will be developed and maintained for each target platform. It is important that the technical team is adequately trained and remains current in mobile security leading practices. Whether buying or developing a mobile application, consider whether that the application uses a platform’s native Application Programming Interfaces (API) for privacy and security functions. Processes such as architecture reviews and secure code reviews should be leveraged and consistently applied as part of the mobile application SDLC. A secure update process should be implemented so that critical security patches are deployed in a timely manner. Mobile development and testing tools are rapidly evolving and can be obtained from multiple sources, ranging from commercially available tools to freeware. Any selected tool should be validated for intended use, as part of establishing a mobile application security framework.
Focus on Data Security: A mobile application is a gateway to enterprise data. Furthermore, the very design of a mobile device indicates the intent to access that enterprise data from outside the boundaries of the enterprise security protections. Any data that is accessed on the mobile device should be encrypted. Storage of any enterprise critical intellectual property and privacy information on the device should be limited. Any local data that will be written back to the enterprise host should be replicated as soon as possible, and data should be purged by an application when it is no longer needed. However, for applications with off-line use cases, consider what data needs to remain on the device to support off-line use. Business data should be isolated from personal data on a given device.
Any type of forms-based authentication should include in-line forms validation and utilize Secure Sockets Layer (SSL) to avoid transporting user credentials over the Internet in clear text. Applications developed for mobile devices should consider utilizing the unique capabilities of these devices (voice recognition, facial recognition, other biometrics, etc.) to reduce the need for users to enter cumbersome, multi-character type, strong passwords and/or to support multifactor authentication requirements. Authentication and authorization methods for mobile applications need to account for use cases where both on-line and off-line access will be supported.
Validating data input is another key component of application security on a mobile device. Validated input may help ensure that a remote procedure call does not crash or allow remote access if malformed data is passed. Threats such as buffer overflow, Structured Query Language (SQL) injection, denial-of-service (DoS), memory leaks and others may result from not validating fields requiring user input.
Implement Mobile Access Logging and Monitoring: Security event logs should include parameters such as Session ID, User identity, event description, success/failure, severity level, hostname/IP, location of event and timestamp. Periodic reviews of security audit trails and log files, and active monitoring for invalid mobile application access is an important key to maintaining a secure mobile environment. Care should be taken to balance the requirements for security logging and monitoring with potential user privacy concerns.
Ultimately, mobile applications play the role of client to an enterprise’s back end (or cloud-based) services. Security measures for mobile applications should protect the backend application and underlying infrastructure, which are the real targets of most attacks.
Role of Identity and Access Management (IAM): Mobile device application security use cases can impact every discipline within an enterprise IT organization, including IAM. The IAM system can provide the means to create new mobile users, set those user’s attributes and entitlements, and de-provision those users, just as with any other enterprise service.
Application level security should not rely solely on the user-to-device authentication, but should include additional controls at the application level. The security native to a mobile device is not likely sufficient to prevent security breaches and it rarely adequately enforced. How an application renders authentication and authorization decisions will vary based on the application’s architecture. However, applications should consider authenticating users against existing enterprise directories (e.g., Active Directory). In addition, there is an opportunity for IAM systems to begin taking advantage of unique attributes of mobile devices to leverage contextual information, such as a user’s geo-location, to augment existing authentication and authorization capabilities.
Until recently, IAM leading practices, such as authentication, authorization, user provisioning and federation, were designed for non-mobile applications and then adapted for mobile use cases. IAM suppliers are beginning to deploy mobile aware capabilities in their product suites. For example, at least one IAM vendor is incorporating standards such as Open Standard for Authentication (OAuth) and OpenID and Representational State Transfer (REST or RESTful) interfaces to enable custom application development, device registration, context-sensitive authorization, and certificate and credential management, backed by device usage reports and analysis.
Conclusion: A mobile application security strategy is fundamentally based on solid IT practices that account for the security exposures unique to mobile devices and the heterogeneous nature of a mobile-infused enterprise IT environment. IAM systems have the opportunity to play a key role in supporting a secure mobile application environment. A proactive and flexible IT organization will be well-positioned to manage the mobility challenges of today’s workforce.
We welcome your thought and feedback on this blog. What challenges is your organization seeing managing application security on mobile devices? What leading practices has your organization adopted to help meet these challenges? How is IAM helping you to manage your mobile security?
Andrew Morrison is a Principal in Deloitte & Touche LLP’s Security & Privacy practice and co-leads Deloitte’s security alliance with Oracle. Andrew has over 15 years of information technology experience and has spent the last 10 years with a specific focus on the security and privacy issues associated with Identity and Access Management. Andrew works with senior executives to define overall corporate strategies for Security and Privacy and has led the deployment of commercial Identity and Access Management solutions for some of Deloitte’s largest clients.
This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited