Productivity within an organisation can be dramatically increased with some very simple and elegant mobile applications. People who are not always working at a desk or a single location can remain connected to others with their mobile device. Time management, project management, communication, accounting and webhosting can be streamlined and more effectively managed with a variety of smart applications Yet there are some serious risks to app security that come with relying too much on mobile applications.
The Risks of Mobile Applications
The two main platforms in the mobile device market are Google's Android and Apple's iOS. FireEye, a security firm, analysed more than 7 million mobile apps for both platforms from January to October 2014 and found the following: With respect to Android, 96 percent of mobile malware was targeted at the platform, and more than 5 billion downloaded Android apps are vulnerable to remote attacks. With respect to Apple iOS, many apps bypass Apple's strict review process and as a result can compromise privacy and introduce security risks. Although not harmful by itself, Adware can often aggressively collect personal information from the mobile device, which can result in hackings.
Many downloadable mobile applications have a local database so data is actually stored on the mobile device. Unfortunately, this is a security issue if the device is lost or stolen. Often mobile applications do not require a user to log in each time. Also, the session is maintained for a number of days before re-authentication is required. It is up to the user to apply the necessary security for each application device or application. There is no industry standard for security in this area of logging into applications; this is set by the application, and users are often unaware of these security settings. There is no guarantee that the owner of the device will password-protect access to the device or place appropriate settings on applications. In essence, there is both security risk in security settings for accessing devices and applications.
These risks are especially problematic in healthcare or hospital settings. Oftentimes with healthcare-related applications, documents are exchanged that contain PHI (Private Health Information). Using a mobile device for email is not secure. Information is not generally encrypted unless special applications are used, which requires specialised setup and configuration. As long as physical access to the device is possible, all email can be read and documents accessed.
Best Practises for Securing Mobile Applications for App Data Security
To protect your company's use of mobile applications, consider taking the following steps:
- Increase forced password changes to an increment greater than 30 days, with a 7-10 day advance warning of a forthcoming password reset. Require dual factor authentication to access sensitive devices and applications, which includes a password as well as some kind of token. This token could be a number obtained from a software application. One of these commonly used dual authentication schemes is called Duo Security. One-time passwords may be good if you do not have to re-authenticate after a device goes into sleep mode. Otherwise, it becomes a challenging usability experience and impacts productivity.
- Consider using the biometric finger reader (BFR) on phones and tablets. This eliminates all passwords and is considered the most secure. Although Apple's latest version of TouchIT has been hacked, Apple states that, "every fingerprint is unique, so it is rare that even a small section of two separate fingerprints are alike enough to register as a match for Touch ID." Apple further indicates that, "The probability of this match happening is 1-in-50,000 for one enrolled finger which is much better than the 1-in-10,000 odds of guessing a typical 4-digit passcode." The Samsung Galaxy Tab S has a unique private mode that lets you store certain apps and contents in a "secure" space within a user profile. You need to log in to the private space to access this content, and you can use your fingerprint to unlock it. This would allow a business use area of the tablet. Other non-confidential material can be placed in an unsecured section. Access to email and other apps that require a password can be put in a secure section requiring a swipe of the finger.
- Most companies have insurance for physical assets. However, today it is important to have data breach insurance as well in case your network is hacked and your customers' data is stolen. In some regulated industries, there are important customer notifications that have to happen and may result in liability.
- It is also prudent to have instant device wipe capability. This is functionality that is built into most tablets and mobile devices or can be implemented with additional security software and remote capability. It is critical that the IT department set up this functionality so that if devices are lost they can be instantly wiped of all data.
- Finally, companies must establish specific policies around personal use of business assets. One of the most important ways in which a company can maintain security is by asking employees not to use company-provided mobile devices for personal use. A great deal of theft and loss occurs when people are using business assets for personal use. People may leave their tablets and mobile devices in their automobiles and unattended at cafés, where they are susceptible to being stolen. Also, when employees are using personal applications, there is a higher probability of the device getting infected with a virus or malware from personal web browsing, applications and email.
There are definite challenges to using mobile applications for your organisation, but most would agree that the benefits far outweigh the risks. Recognise potential problem areas and take the proper steps to avoid issues so your company can reap the benefits of going mobile.