Taking Mobile Applications and Data Security Seriously

Development Tools / Utilities
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Mobile applications need to be secured. It's not a question of "if" but "when" attacks will occur.


Today, many organizations are rushing to build mobile applications and mobile websites to gain a competitive advantage within their industry. The rate and speed at which applications are being pushed into the marketplace is phenomenal and is only increasing with the explosion of mobile devices. Traditional businesses have been forced to think outside of the box to leverage mobile devices in innovative and creative ways, partly from pressure by their competitors and their own employees with the growing trend of Bring Your Own Device (BYOD) to work.


Building traditional business applications versus building native mobile applications requires a change in a developer's mindset. Developers need to take into account how best to provide information to their end-users in real-time in order for business decisions to be made on the move from anywhere in world withoutcompromising security and access to the information.


While most organizations should be considering developing a mobile application, others are rushing to deliver applications quickly, on a limited budget with little internal resources, ultimately overlooking critical security considerations. Users are increasingly demanding secure mobile applications, and, understandably, organizations are hesitant because it usually means more time and money required to build secure mobile applications. However, there needs to be a happy medium to accommodate the very real security concerns of customers while still trying to gain a competitive advantage quickly for organizations.


To put mobile applications and data security in perspective, here are a few statistics that highlight the growing need for organizations to be mindful of security:


  • 85% of US companies have experienced one or more data breaches.1
  • Mobile malware increased by 250% over the last couple of years.2
  • 36% of mobile users do not have a password setup on their device.3
  • 30% of mobile users save their password in the notes apps on the phone.3
  • 70% of people have lost a smartphone or other device in the last 12 months.4
  • In 2012 – 264 mobile thefts were reported every day.4
  • 81% of US workers report at least one personal electronic device for business use.4
  • Mobile sales rose to 645 million devices by the end of 2012.5


From the statistics above, we can see that the security risks and challenges faced by organizations when building mobile applications are very real. Luckily, most of this can be avoided and overcome with some simple, proactive steps that can be taken by your development team, your IT department, and your end-users.


In this article, I will examine these challenges and outline solutions that will enable you to develop and deploy secure mobile applications quickly while ensuring user privacy and access to your critical business information are adequately protected.



Mobile Application Security can be broken down into following three main categories:

  • Securing Data at Rest on the Mobile Device
  • Securing Communication Between the Mobile Device and the Server
  • Securing   Application Access to the Data

Securing Data at Rest on the Mobile Device

With the ability of native applications on mobile devices to read/write files to the device operating system, it becomes extremely important to secure information so that only the intended application can access the information when end-users interact with the application. Luckily, both Android and Apple operating systems provide a sandbox environment for each application so that only that application can read/write data to the file system.


Applications should also encrypt the information on the file system using industry-standard encryption algorithms to further protect sensitive application data. Both Android and Apple also provide password, gesture, and pin access to the device that can be configured and set up so unauthorized use of applications and data on the device can be eliminated.


Mobile device manufacturers and operating system vendors in the marketplace today are increasingly being asked to provide additional security capabilities built into the operating system and software to conform to government regulations, identify malicious activity, detect viruses and spyware, as well as secure application data. Additionally, device manufacturers are now providing the ability to install business applications in a secure sandbox environment (dividing the mobile device into two parts so that the operating system separates corporate and personal data/applications) that can be integrated and controlled by the IT department in your organization.


When building applications for mobile devices and storing data on the device, it is important to consider and analyze the following key aspects:

  • Is the data being stored encrypted and compressed?
  • What is the lifespan of data stored on the device?
  • How sensitive is the information being stored? If very sensitive, should it be stored at all?
  • Has application access to the data been secured in some way, e.g., login user ID and password?
  • If the device is lost or stolen, can access to the application be immediately revoked and terminated?
  • If the device is lost or stolen, can the device be wiped remotely?
  • Is the data available for offline use? If yes, is the data erased and cleaned up by the application?


With the constant demand on business and IT to deliver "more with less," organizations can deliver real business value using a Mobile Application Framework and mitigate risk, thus providing businesses with real cost savings. When evaluating Mobile Application Frameworks for building native applications for Android and Apple devices, it is important to evaluate against the following criteria:

  • Is the mobile application framework from a reputable vendor?
  • Has the vendor been in business for a long time, and does the vendor have a proven track record?
  • Does the mobile application framework leverage existing developer skill sets?
  • Does the mobile application framework deliver the building blocks required for mobile applications: security model, navigation, user interface elements, examples?
  • Does the mobile application support both Android and Apple operating systems?

Securing  Communication Between the Mobile Device and the Server

Most applications connect to information being stored on the server using standard web protocol (HTTP) and pass data back and forth using standard data formats like XML or JSON. Using public Wi-Fi or cellular signal from anywhere in the world and connecting to data on the server can allow hackers to intercept and view information being transferred over the wire using sniffing tools and man-in-the-middle attacks. Since the World Wide Web is the number one source of information for most people these days, and the web uses the HTTP protocol to communicate between the web browser and server, it is easy to see why a connection can be easily intercepted and hacked.


One of the easiest ways to secure communication is to simply use HTTPs protocol instead of HTTP protocol when building business applications and accessing data on the server. Using SSL connection to the web server automatically means that the data is being encrypted with a digital certificate that can be set up and configured on the web server. Typically, digital certificates provide a minimum 128-bit encryption all the way up to 4096-bit encryption, which ensures the data being transmitted over the wire is secure and not available to hackers.


Using IBM i back-end as the server for building mobile applications provides many benefits. With the latest advancements in Cryptography and Digital Certificates built into the Apache Webserver and the IBM i OS to provide a reliable and proven platform, the IBM i platform has proven to be one of the most secure platforms to run your mission critical business applications.

Securing Application Access to Data

One of the challenges when building mobile applications is to make sure users are given access only to information that they are authorized to view and that sensitive data is never stored on the device itself. One of the keys to securing application access to corporate business data on your servers is to develop a solid framework that will handle all aspects of data security and access on the server.


Some common techniques that can ensure secure application access to data on the server are:

  • Set up role-based security to control user access and visibility to business data. This will allow you to easily manage and administer access and also turn "off" access to information on the server if required.
  • Do not store passwords or PINs on the device; always perform all application security checks on the server.
  • Encrypt all sensitive information on the server and send only the required amount of information to the mobile application.
  • Log all application activity on the server from all devices and restrict access to applications and data based on the unique device identifier.
  • Prompt for an additional PIN number to access critical paths of the server, and revalidate and verify the login information on subsequent requests after the initial login to the application has been verified.
  • Implement a firewall and DMZ (Demilitarized Zone) that contains your organization's external-facing servers to the outside world. This provides an additional later of security to an organization's network, applications, and data.
  • Provide VPN access for added security that can be easily enabled or disabled on the server side.
  • Leverage remote monitoring capabilities that provide the ability to remotely wipe a device if it gets lost or stolen.
  • Educate and manage employee behavior and usage of mobile applications in order to keep security intact. Provide employees with regular updates and make them aware of your security policies.


The IBM i platform hosts some of the biggest mission-critical business applications on the planet and has always had a built-in object-based and user-profile management system that is not only simple to set up and leverage, but also very powerful. Reducing the steps required to configure user profiles and manage access to your programs/files on the server, using the standard IBM i user profile security with authorization lists, makes the IBM i a compelling choice for businesses.


Even the most secure platform on the planet needs protection from threats and breaches when dealing with business data. The IBM i platform provides the necessary tools required to secure the infrastructure and access to the information, thereby helping business to lower risks and cost.

Summary: Mobile Application Development and Data Security


Application and data security has always been and will continue to be a cat-and-mouse game between the good guys and the bad guys. New threats and vulnerabilities are being found and exploited by the bad guys, while the good guys try to fix the vulnerabilities by putting in place appropriate measuresboth hardware and softwareto thwart the new-age cyber criminals.


The great news for all of us building mobile applications is that both software and hardware mobile ecosystems are not only evolving at a rapid pace, but also constantly being improved to support the latest in encryption and cryptography as well as making mobile device operating systems smarter in detecting and dealing with threats in real-time.


At the end of the day, mobile applications need to be secured. It's not a question of "if" but "when" attacks will occur. From an application-development perspective, it is important to understand and be mindful of security issues when building enterprise applications for mobile devices. Make sure that the checklist outlined below has been considered and implemented to the fullest extent possible so that multiple layers of application security exist to help reduce the surface area that the bad guys can exploit.


12-Point Mobile Application and Data Security Checklist


Update  your smartphone OS, irrespective of it being an Android or an Apple device, whenever any application patches or OS upgrades are released.


Always use a passcode to lock your device in order to avoid data leakage, especially if the device is being used by a stranger.


Do not jail-break, root, or modify the operating system files.


Regularly back up or synchronize your settings and other personal information in order to avoid the loss of data due to theft. For additional security, install device-tracking applications to find your device if it gets lost or stolen.


Learn about an application's reputation before installing it. Make sure the application vendor or developer is a trusted source, has been in business for a considerable amount of time, and has a solid reputation.


Always be careful when downloading applications or clicking URLs. Use only trusted application-makers to download applications and make sure you check an app' s review and ratings before you download it. Never click on unknown URLs or respond to requests for your personal information.


Make protecting your mobile device as much of a priority as protecting your PC. Scan for viruses and spyware regularly by installing antivirus or firewall software.


Be careful when using public Wi-Fi hot spots. Only "window shop." Do not make purchases, perform financial transactions, or provide personal information using public Wi-Fi hot spots.


When using a business application to access business data, make sure it has been approved by your IT department, and always use a secure connection. Optionally, use a VPN connection to the server and do not store sensitive data locally on the device unless it is encrypted and secured.


Work with your IT department to develop and implement a security policy regarding what content is allowed to be accessed on devices, how it will be accessed, and how the organization will handle access to business data and applications as well as lost or stolen devices.


Make sure your development team incorporates security into the entire application development lifecycle by identifying and prioritizing critical applications and testing for security and vulnerabilities. Make sure to retest when applications change to protect critical assets and information.


Stay flexible and be prepared to evolve and adapt to the changing mobile landscape by regularly evaluating your security policies to make sure they align with mobile reality by conducting frequent risk assessments.


With smartphone penetration now at 50% in the U.S., the explosion of mobile applications for business will continue to generate mass consumer appeal. In today's business environment, consumers want quick, easy access to business systems and the ability to communicate in real-time. Using the guidelines I've discussed above, businesses can accommodate the real security concerns of employees and customers while gaining a competitive advantage.



1 State of Application Security

2 Juniper Networks Global Threat Center

3 McAfee Consumer Survery

4 Mobile Security Facts

5 Symantec Internet Security Report



Madan Divaker

Madan Divaker, Product Manager, LANSA
Since joining LANSA in 1997, Madan has acquired extensive knowledge in all LANSA products. His experience includes .NET, Java, Web, and mobile expertise. Initially, he worked at the LANSA Product Center in Sydney, Australia, helping design and develop the LANSA product suite, including LongRange for building intuitive mobile applications. Currently, Madan is involved with LANSA Training, Technical Support, Pre-sales, Services and Product Development, as well as keeping abreast of market and technology trends. He has also presented at numerous IBM Conferences and user groups on broad topics covering IBM i, mobility, Web development, and Application Architecture and Design and is an active member of the IBM ISV Advisory Council.



Support MC Press Online





  • White Paper: Node.js for Enterprise IBM i Modernization

    SB Profound WP 5539

    If your business is thinking about modernizing your legacy IBM i (also known as AS/400 or iSeries) applications, you will want to read this white paper first!

    Download this paper and learn how Node.js can ensure that you:
    - Modernize on-time and budget - no more lengthy, costly, disruptive app rewrites!
    - Retain your IBM i systems of record
    - Find and hire new development talent
    - Integrate new Node.js applications with your existing RPG, Java, .Net, and PHP apps
    - Extend your IBM i capabilties to include Watson API, Cloud, and Internet of Things

    Read Node.js for Enterprise IBM i Modernization Now!


  • Profound Logic Solution Guide

    SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation.
    Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects.
    The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the companyare not aligned with the current IT environment.

    Get your copy of this important guide today!


  • 2022 IBM i Marketplace Survey Results

    Fortra2022 marks the eighth edition of the IBM i Marketplace Survey Results. Each year, Fortra captures data on how businesses use the IBM i platform and the IT and cybersecurity initiatives it supports.

    Over the years, this survey has become a true industry benchmark, revealing to readers the trends that are shaping and driving the market and providing insight into what the future may bring for this technology.

  • Brunswick bowls a perfect 300 with LANSA!

    FortraBrunswick is the leader in bowling products, services, and industry expertise for the development and renovation of new and existing bowling centers and mixed-use recreation facilities across the entertainment industry. However, the lifeblood of Brunswick’s capital equipment business was running on a 15-year-old software application written in Visual Basic 6 (VB6) with a SQL Server back-end. The application was at the end of its life and needed to be replaced.
    With the help of Visual LANSA, they found an easy-to-use, long-term platform that enabled their team to collaborate, innovate, and integrate with existing systems and databases within a single platform.
    Read the case study to learn how they achieved success and increased the speed of development by 30% with Visual LANSA.


  • The Power of Coding in a Low-Code Solution

    LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks



  • Why Migrate When You Can Modernize?

    LANSABusiness users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
    In this white paper, you’ll learn how to think of these issues as opportunities rather than problems. We’ll explore motivations to migrate or modernize, their risks and considerations you should be aware of before embarking on a (migration or modernization) project.
    Lastly, we’ll discuss how modernizing IBM i applications with optimized business workflows, integration with other technologies and new mobile and web user interfaces will enable IT – and the business – to experience time-added value and much more.


  • UPDATED: Developer Kit: Making a Business Case for Modernization and Beyond

    Profound Logic Software, Inc.Having trouble getting management approval for modernization projects? The problem may be you're not speaking enough "business" to them.

    This Developer Kit provides you study-backed data and a ready-to-use business case template to help get your very next development project approved!

  • What to Do When Your AS/400 Talent Retires

    FortraIT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators is small.

    This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:

    • Why IBM i skills depletion is a top concern
    • How leading organizations are coping
    • Where automation will make the biggest impact


  • Node.js on IBM i Webinar Series Pt. 2: Setting Up Your Development Tools

    Profound Logic Software, Inc.Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. In Part 2, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Attend this webinar to learn:

    • Different tools to develop Node.js applications on IBM i
    • Debugging Node.js
    • The basics of Git and tools to help those new to it
    • Using as a pre-built development environment



  • Expert Tips for IBM i Security: Beyond the Basics

    SB PowerTech WC GenericIn this session, IBM i security expert Robin Tatam provides a quick recap of IBM i security basics and guides you through some advanced cybersecurity techniques that can help you take data protection to the next level. Robin will cover:

    • Reducing the risk posed by special authorities
    • Establishing object-level security
    • Overseeing user actions and data access

    Don't miss this chance to take your knowledge of IBM i security beyond the basics.



  • 5 IBM i Security Quick Wins

    SB PowerTech WC GenericIn today’s threat landscape, upper management is laser-focused on cybersecurity. You need to make progress in securing your systems—and make it fast.
    There’s no shortage of actions you could take, but what tactics will actually deliver the results you need? And how can you find a security strategy that fits your budget and time constraints?
    Join top IBM i security expert Robin Tatam as he outlines the five fastest and most impactful changes you can make to strengthen IBM i security this year.
    Your system didn’t become unsecure overnight and you won’t be able to turn it around overnight either. But quick wins are possible with IBM i security, and Robin Tatam will show you how to achieve them.

  • Security Bulletin: Malware Infection Discovered on IBM i Server!

    SB PowerTech WC GenericMalicious programs can bring entire businesses to their knees—and IBM i shops are not immune. It’s critical to grasp the true impact malware can have on IBM i and the network that connects to it. Attend this webinar to gain a thorough understanding of the relationships between:

    • Viruses, native objects, and the integrated file system (IFS)
    • Power Systems and Windows-based viruses and malware
    • PC-based anti-virus scanning versus native IBM i scanning

    There are a number of ways you can minimize your exposure to viruses. IBM i security expert Sandi Moore explains the facts, including how to ensure you're fully protected and compliant with regulations such as PCI.



  • Encryption on IBM i Simplified

    SB PowerTech WC GenericDB2 Field Procedures (FieldProcs) were introduced in IBM i 7.1 and have greatly simplified encryption, often without requiring any application changes. Now you can quickly encrypt sensitive data on the IBM i including PII, PCI, PHI data in your physical files and tables.
    Watch this webinar to learn how you can quickly implement encryption on the IBM i. During the webinar, security expert Robin Tatam will show you how to:

    • Use Field Procedures to automate encryption and decryption
    • Restrict and mask field level access by user or group
    • Meet compliance requirements with effective key management and audit trails


  • Lessons Learned from IBM i Cyber Attacks

    SB PowerTech WC GenericDespite the many options IBM has provided to protect your systems and data, many organizations still struggle to apply appropriate security controls.
    In this webinar, you'll get insight into how the criminals accessed these systems, the fallout from these attacks, and how the incidents could have been avoided by following security best practices.

    • Learn which security gaps cyber criminals love most
    • Find out how other IBM i organizations have fallen victim
    • Get the details on policies and processes you can implement to protect your organization, even when staff works from home

    You will learn the steps you can take to avoid the mistakes made in these examples, as well as other inadequate and misconfigured settings that put businesses at risk.



  • The Power of Coding in a Low-Code Solution

    SB PowerTech WC GenericWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks



  • The Biggest Mistakes in IBM i Security

    SB Profound WC Generic The Biggest Mistakes in IBM i Security
    Here’s the harsh reality: cybersecurity pros have to get their jobs right every single day, while an attacker only has to succeed once to do incredible damage.
    Whether that’s thousands of exposed records, millions of dollars in fines and legal fees, or diminished share value, it’s easy to judge organizations that fall victim. IBM i enjoys an enviable reputation for security, but no system is impervious to mistakes.
    Join this webinar to learn about the biggest errors made when securing a Power Systems server.
    This knowledge is critical for ensuring integrity of your application data and preventing you from becoming the next Equifax. It’s also essential for complying with all formal regulations, including SOX, PCI, GDPR, and HIPAA
    Watch Now.

  • Comply in 5! Well, actually UNDER 5 minutes!!

    SB CYBRA PPL 5382

    TRY the one package that solves all your document design and printing challenges on all your platforms.

    Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product.

    Request your trial now!

  • Backup and Recovery on IBM i: Your Strategy for the Unexpected

    FortraRobot automates the routine tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
    - Simplified backup procedures
    - Easy data encryption
    - Save media management
    - Guided restoration
    - Seamless product integration
    Make sure your data survives when catastrophe hits. Try the Robot Backup and Recovery Solution FREE for 30 days.

  • Manage IBM i Messages by Exception with Robot

    SB HelpSystems SC 5413Managing messages on your IBM i can be more than a full-time job if you have to do it manually. How can you be sure you won’t miss important system events?
    Automate your message center with the Robot Message Management Solution. Key features include:
    - Automated message management
    - Tailored notifications and automatic escalation
    - System-wide control of your IBM i partitions
    - Two-way system notifications from your mobile device
    - Seamless product integration
    Try the Robot Message Management Solution FREE for 30 days.

  • Easiest Way to Save Money? Stop Printing IBM i Reports

    FortraRobot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing.
    Manage your reports with the Robot Report Management Solution. Key features include:

    - Automated report distribution
    - View online without delay
    - Browser interface to make notes
    - Custom retention capabilities
    - Seamless product integration
    Rerun another report? Never again. Try the Robot Report Management Solution FREE for 30 days.

  • Hassle-Free IBM i Operations around the Clock

    SB HelpSystems SC 5413For over 30 years, Robot has been a leader in systems management for IBM i.
    Manage your job schedule with the Robot Job Scheduling Solution. Key features include:
    - Automated batch, interactive, and cross-platform scheduling
    - Event-driven dependency processing
    - Centralized monitoring and reporting
    - Audit log and ready-to-use reports
    - Seamless product integration
    Scale your software, not your staff. Try the Robot Job Scheduling Solution FREE for 30 days.