Manage Learn to apply best practices and optimize your operations.

Mobile application vulnerabilities remain a forgotten security threat

Data security has become a major issue for companies and the general public as high-profile hacks of big-name companies are constantly in the news. But despite this increased vigilance, mobile application security is often put on the back burner by developers -- as well as the businesses and consumers that use them, said Vincent Sritapan, a program manager with the Department of Homeland Security Science and Technology Directorate.

Sritapan, who led a session titled the "Future of Mobile App Security" at the ISSA International Conference last month, said there are steps companies and individuals can take to protect against these often-overlooked threats. In this interview from the ISSA International Conference, SearchCompliance editor Ben Cole sits down with Sritapan to discuss mobile application vulnerabilities and strategies to protect against them.

What are some of the common mobile application vulnerabilities that threaten consumer and company information?

People are just not as aware when it comes to mobile. They're more likely to download a malicious app or an app that has unusual behavior.
Vincent Sritapanprogram manager, Department of Homeland Security Science and Technology Directorate

Vincent Sritapan: Some of the common mobile application vulnerabilities and threats that exist today really come with excessive permissions from mobile applications. You might remember the flashlight app that wanted your location. You also can think about other aspects of rogue or fake applications that are trying to trick users into using them as a legitimate application. You might find other mobile applications that are just not well made, they're not developed well and their poor coding puts people at risk because vulnerabilities exist in there. There's quite a bit of weaknesses in mobile applications, and some that have malicious intent, they have malware in them. Those are ones that are very much problematic.

There hasn't been a high profile hack of a mobile app that made a lot of news. Do you think that's making users complacent about the data that they put in these apps?

Sritapan: Yes, definitely. You'll see a user who may not want to click on a phishing link, but will add an application or install it because it's a free app even though it asks for excessive permissions or their full contact list. People are just not as aware when it comes to mobile. They're more likely to download a malicious app or an app that has unusual behavior.

Are there any new mobile app security strategies and best practices that have proven effective?

Sritapan: Yes, I think for this one there's two parts, really. There's one for the organization and one from a consumer perspective. When you think about the organization, NIST standards are out there, and there are other government standards that we have. The National Institute for Standards and Technology has special publications available looking at vetting criteria. We have the National Information Assurance Partnership that's available, too. Different government entities are looking at this, looking at an enterprise level [asking] 'How do I vet mobile applications, what [are] the criteria that I'd follow, and what's the schema?' That's one aspect for an enterprise organization.

For the consumer, though, it's a little different. Consumers really need to consider not rooting their phone and jailbreaking it because it really does take the security out of it. Look at the applications you download -- you want to have it from the legitimate markets. You don't want to have it from third-party markets or unknown places. You want to keep your operating system or your applications up to date. Those are normal best practices that you should follow.

View All Videos

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What steps does your organization take to protect information from mobile application vulnerabilities?
Ben, very good points you've highlighted around the risks associated with mobile apps. More sophisticated companies that understand the inherent risks associated with mobile apps and their vulnerabilities are incorporating code hardening security tools to help prevent their mobile apps from being reverse-engineered and tampered. What's working well with application self-protection techniques is that the security follows the app no matter where it goes -- which is increasingly essential in today's highly distributed mobile and IoT environment. Another security measure being incorporated is cryptographic key protection. People generally understand the value and need for data encryption, but at some point that data needs to be decrypted with keys. Memory scraping and other hacking techniques can easily lift the keys and at that point access sensitive data. Security techniques such as White Box Cryptography is one example of locking down cryptographic keys, helping to keep them from being identified and stolen.
I agree, mobile application security needs to start at the development level in order to ensure end-to-end data protection. Too often security has been an afterthought, with developers focusing on making the app services user-friendly and efficient. Unfortunately it may take a giant mobile application data breach or leak before app developers (and users) really start to take security seriously and implement protection efforts during the development process.
Security levels for these 'at risk' apps should b designed specifically for each individual app
Ben -- agreed on the unfortunate human nature of needing to live through a massive breach to quickly impact behavior. Just curious since you know the compliance space well -- I've been seeing more regulatory bodies doing a much better job of collaborating with private industry and those on the front lines of emerging threats/attacks to seek out security best practices, etc. which ultimately should be written into requirements. Are you seeing that as well?

dez...agreed as well. All apps aren't created equal and should be assessed accordingly. In my initial comment, I was thinking about critical apps including medical device, automotive, etc., especially where security and personal safety intersect.
Yes Stephen public/private sector cybersecurity data sharing is a big topic right now- and is a major part of the Cybersecurity Information Sharing Act being debated in the U.S. legislature. Companies seem to be on the fence about it- While most understand the benefits of security information sharing to develop best practices, they have major concerns about how to also protect customer privacy when sharing this data with the federal government.
Web application firewall secures applications that is accessible via web browser mobile applications