Mobile applications need to be secured. It's not a question of "if" but "when" attacks will occur.

Today, many organizations are rushing to build mobile applications and mobile websites to gain a competitive advantage within their industry. The rate and speed at which applications are being pushed into the marketplace is phenomenal and is only increasing with the explosion of mobile devices. Traditional businesses have been forced to think outside of the box to leverage mobile devices in innovative and creative ways, partly from pressure by their competitors and their own employees with the growing trend of Bring Your Own Device (BYOD) to work.

Building traditional business applications versus building native mobile applications requires a change in a developer's mindset. Developers need to take into account how best to provide information to their end-users in real-time in order for business decisions to be made on the move from anywhere in world without—compromising security and access to the information.

While most organizations should be considering developing a mobile application, others are rushing to deliver applications quickly, on a limited budget with little internal resources, ultimately overlooking critical security considerations. Users are increasingly demanding secure mobile applications, and, understandably, organizations are hesitant because it usually means more time and money required to build secure mobile applications. However, there needs to be a happy medium to accommodate the very real security concerns of customers while still trying to gain a competitive advantage quickly for organizations.

To put mobile applications and data security in perspective, here are a few statistics that highlight the growing need for organizations to be mindful of security:

• 85% of US companies have experienced one or more data breaches.¹
• Mobile malware increased by 250% over the last couple of years.²
• 36% of mobile users do not have a password setup on their device.³
• 30% of mobile users save their password in the notes apps on the phone.³
• 70% of people have lost a smartphone or other device in the last 12 months.⁴
• In 2012 – 264 mobile thefts were reported every day.⁴
• 81% of US workers report at least one personal electronic device for business use.⁴
• Mobile sales rose to 645 million devices by the end of 2012.⁵

From the statistics above, we can see that the security risks and challenges faced by organizations when building mobile applications are very real. Luckily, most of this can be avoided and overcome with some simple, proactive steps that can be taken by your development team, your IT department, and your end-users.

In this article, I will examine these challenges and outline solutions that will enable you to develop and deploy secure mobile applications quickly while ensuring user privacy and access to your critical business information are adequately protected.

Mobile Application Security can be broken down into following three main categories:

• Securing Data at Rest on the Mobile Device
• Securing Communication Between the Mobile Device and the Server
• Securing   Application Access to the Data

Securing Data at Rest on the Mobile Device

With the ability of native applications on mobile devices to read/write files to the device operating system, it becomes extremely important to secure information so that only the intended application can access the information when end-users interact with the application. Luckily, both Android and Apple operating systems provide a sandbox environment for each application so that only that application can read/write data to the file system.

Applications should also encrypt the information on the file system using industry-standard encryption algorithms to further protect sensitive application data. Both Android and Apple also provide password, gesture, and pin access to the device that can be configured and set up so unauthorized use of applications and data on the device can be eliminated.

Mobile device manufacturers and operating system vendors in the marketplace today are increasingly being asked to provide additional security capabilities built into the operating system and software to conform to government regulations, identify malicious activity, detect viruses and spyware, as well as secure application data. Additionally, device manufacturers are now providing the ability to install business applications in a secure sandbox environment (dividing the mobile device into two parts so that the operating system separates corporate and personal data/applications) that can be integrated and controlled by the IT department in your organization.

When building applications for mobile devices and storing data on the device, it is important to consider and analyze the following key aspects:

• Is the data being stored encrypted and compressed?
• What is the lifespan of data stored on the device?
• How sensitive is the information being stored? If very sensitive, should it be stored at all?
• Has application access to the data been secured in some way, e.g., login user ID and password?
• If the device is lost or stolen, can access to the application be immediately revoked and terminated?
• If the device is lost or stolen, can the device be wiped remotely?
• Is the data available for offline use? If yes, is the data erased and cleaned up by the application?

With the constant demand on business and IT to deliver "more with less," organizations can deliver real business value using a Mobile Application Framework and mitigate risk, thus providing businesses with real cost savings. When evaluating Mobile Application Frameworks for building native applications for Android and Apple devices, it is important to evaluate against the following criteria:

• Is the mobile application framework from a reputable vendor?
• Has the vendor been in business for a long time, and does the vendor have a proven track record?
• Does the mobile application framework leverage existing developer skill sets?
• Does the mobile application framework deliver the building blocks required for mobile applications: security model, navigation, user interface elements, examples?
• Does the mobile application support both Android and Apple operating systems?

Securing  Communication Between the Mobile Device and the Server

Most applications connect to information being stored on the server using standard web protocol (HTTP) and pass data back and forth using standard data formats like XML or JSON. Using public Wi-Fi or cellular signal from anywhere in the world and connecting to data on the server can allow hackers to intercept and view information being transferred over the wire using sniffing tools and man-in-the-middle attacks. Since the World Wide Web is the number one source of information for most people these days, and the web uses the HTTP protocol to communicate between the web browser and server, it is easy to see why a connection can be easily intercepted and hacked.

One of the easiest ways to secure communication is to simply use HTTPs protocol instead of HTTP protocol when building business applications and accessing data on the server. Using SSL connection to the web server automatically means that the data is being encrypted with a digital certificate that can be set up and configured on the web server. Typically, digital certificates provide a minimum 128-bit encryption all the way up to 4096-bit encryption, which ensures the data being transmitted over the wire is secure and not available to hackers.

Using IBM i back-end as the server for building mobile applications provides many benefits. With the latest advancements in Cryptography and Digital Certificates built into the Apache Webserver and the IBM i OS to provide a reliable and proven platform, the IBM i platform has proven to be one of the most secure platforms to run your mission critical business applications.

Securing Application Access to Data

One of the challenges when building mobile applications is to make sure users are given access only to information that they are authorized to view and that sensitive data is never stored on the device itself. One of the keys to securing application access to corporate business data on your servers is to develop a solid framework that will handle all aspects of data security and access on the server.

Some common techniques that can ensure secure application access to data on the server are:

• Set up role-based security to control user access and visibility to business data. This will allow you to easily manage and administer access and also turn "off" access to information on the server if required.
• Do not store passwords or PINs on the device; always perform all application security checks on the server.
• Encrypt all sensitive information on the server and send only the required amount of information to the mobile application.
• Log all application activity on the server from all devices and restrict access to applications and data based on the unique device identifier.
• Prompt for an additional PIN number to access critical paths of the server, and revalidate and verify the login information on subsequent requests after the initial login to the application has been verified.
• Implement a firewall and DMZ (Demilitarized Zone) that contains your organization's external-facing servers to the outside world. This provides an additional later of security to an organization's network, applications, and data.
• Provide VPN access for added security that can be easily enabled or disabled on the server side.
• Leverage remote monitoring capabilities that provide the ability to remotely wipe a device if it gets lost or stolen.
• Educate and manage employee behavior and usage of mobile applications in order to keep security intact. Provide employees with regular updates and make them aware of your security policies.

The IBM i platform hosts some of the biggest mission-critical business applications on the planet and has always had a built-in object-based and user-profile management system that is not only simple to set up and leverage, but also very powerful. Reducing the steps required to configure user profiles and manage access to your programs/files on the server, using the standard IBM i user profile security with authorization lists, makes the IBM i a compelling choice for businesses.

Even the most secure platform on the planet needs protection from threats and breaches when dealing with business data. The IBM i platform provides the necessary tools required to secure the infrastructure and access to the information, thereby helping business to lower risks and cost.

Summary: Mobile Application Development and Data Security

Application and data security has always been and will continue to be a cat-and-mouse game between the good guys and the bad guys. New threats and vulnerabilities are being found and exploited by the bad guys, while the good guys try to fix the vulnerabilities by putting in place appropriate measures—both hardware and software—to thwart the new-age cyber criminals.

The great news for all of us building mobile applications is that both software and hardware mobile ecosystems are not only evolving at a rapid pace, but also constantly being improved to support the latest in encryption and cryptography as well as making mobile device operating systems smarter in detecting and dealing with threats in real-time.

At the end of the day, mobile applications need to be secured. It's not a question of "if" but "when" attacks will occur. From an application-development perspective, it is important to understand and be mindful of security issues when building enterprise applications for mobile devices. Make sure that the checklist outlined below has been considered and implemented to the fullest extent possible so that multiple layers of application security exist to help reduce the surface area that the bad guys can exploit.

12-Point Mobile Application and Data Security Checklist

With smartphone penetration now at 50% in the U.S., the explosion of mobile applications for business will continue to generate mass consumer appeal. In today's business environment, consumers want quick, easy access to business systems and the ability to communicate in real-time. Using the guidelines I've discussed above, businesses can accommodate the real security concerns of employees and customers while gaining a competitive advantage.

Sources

¹ State of Application Security—http://www.business.att.com/content/other/att-security-applications-infographic.jpg

² Juniper Networks Global Threat Center—http://blackberrysync.com/2011/08/the-cold-hard-facts-of-mobile-security-with-dos-and-donts/

³ McAfee Consumer Survery—https://blogs.mcafee.com/consumer/unprotected-mobile-devices

⁴ Mobile Security Facts—http://www.passban.com/2012/12/19/noteworthy-facts-involving-mobile-security/

⁵ Symantec Internet Security Report—http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf

Madan Divaker

• Email
• Site

Madan Divaker, Product Manager, LANSA
Since joining LANSA in 1997, Madan has acquired extensive knowledge in all LANSA products. His experience includes .NET, Java, Web, and mobile expertise. Initially, he worked at the LANSA Product Center in Sydney, Australia, helping design and develop the LANSA product suite, including LongRange for building intuitive mobile applications. Currently, Madan is involved with LANSA Training, Technical Support, Pre-sales, Services and Product Development, as well as keeping abreast of market and technology trends. He has also presented at numerous IBM Conferences and user groups on broad topics covering IBM i, mobility, Web development, and Application Architecture and Design and is an active member of the IBM ISV Advisory Council.