Data security has become a major issue for companies and the general public as high-profile hacks of big-name companies are constantly in the news. But despite this increased vigilance, mobile application security is often put on the back burner by developers -- as well as the businesses and consumers that use them, said Vincent Sritapan, a program manager with the Department of Homeland Security Science and Technology Directorate.
Sritapan, who led a session titled the "Future of Mobile App Security" at the ISSA International Conference last month, said there are steps companies and individuals can take to protect against these often-overlooked threats. In this interview from the ISSA International Conference, SearchCompliance editor Ben Cole sits down with Sritapan to discuss mobile application vulnerabilities and strategies to protect against them.
What are some of the common mobile application vulnerabilities that threaten consumer and company information?
Vincent Sritapanprogram manager, Department of Homeland Security Science and Technology Directorate
Vincent Sritapan: Some of the common mobile application vulnerabilities and threats that exist today really come with excessive permissions from mobile applications. You might remember the flashlight app that wanted your location. You also can think about other aspects of rogue or fake applications that are trying to trick users into using them as a legitimate application. You might find other mobile applications that are just not well made, they're not developed well and their poor coding puts people at risk because vulnerabilities exist in there. There's quite a bit of weaknesses in mobile applications, and some that have malicious intent, they have malware in them. Those are ones that are very much problematic.
There hasn't been a high profile hack of a mobile app that made a lot of news. Do you think that's making users complacent about the data that they put in these apps?
Sritapan: Yes, definitely. You'll see a user who may not want to click on a phishing link, but will add an application or install it because it's a free app even though it asks for excessive permissions or their full contact list. People are just not as aware when it comes to mobile. They're more likely to download a malicious app or an app that has unusual behavior.
Are there any new mobile app security strategies and best practices that have proven effective?
Sritapan: Yes, I think for this one there's two parts, really. There's one for the organization and one from a consumer perspective. When you think about the organization, NIST standards are out there, and there are other government standards that we have. The National Institute for Standards and Technology has special publications available looking at vetting criteria. We have the National Information Assurance Partnership that's available, too. Different government entities are looking at this, looking at an enterprise level [asking] 'How do I vet mobile applications, what [are] the criteria that I'd follow, and what's the schema?' That's one aspect for an enterprise organization.
For the consumer, though, it's a little different. Consumers really need to consider not rooting their phone and jailbreaking it because it really does take the security out of it. Look at the applications you download -- you want to have it from the legitimate markets. You don't want to have it from third-party markets or unknown places. You want to keep your operating system or your applications up to date. Those are normal best practices that you should follow.