Ethical Hackers Forum discusses mobile security

By Kiyoshi J. Berman

The sixth Ethical Hackers Forum of Sri Lanka took place recently in Colombo addressing a very topical issue of ‘Enterprise Mobile Security Challenges and Strategies’. The key resource person for the evening was Sinnathamby Shanmugarajah (Shan), Former Director, Mobile Architecture, WSO2 Sri Lanka Ltd.

Mobile computing devices are changing the game for most businesses. It can lead to new ways of working, new ways of operating the business as well as new products and services. 

Shan set the premise to the presentation by pointing out that, “If you look at the current setup in organisations, some of the data is still within the organisation premises but some of the data has moved to the Cloud, including emails and applications. The computer systems used by employees, have moved from desktops to laptops. In the IT industry specially, the employees sometimes work from home or while travelling. Technology is independent as well, enabling various platforms to communicate with each other. When it comes to resources: some of the devices are owned by the enterprise while the others are brought in by employees.”

What is enterprise mobility?

Enterprise mobility is using mobile computing devices to perform business tasks. Introducing technology to a business can drastically reduce the gap between the business and stakeholders. Adopting mobility to work narrows the gap even further. Basically what happens is, there is access to information anytime, there is increased productivity but the risk goes up. The next big thing is the Internet of Things (IoT) – by adopting IoT into business, everything is going to change and risk is going to double. 

“The question is whether to allow mobility into business or not; but when you compare risks and rewards, obviously the rewards are higher,” Shan explained. 

Mobility has become the primary access mechanism for employees and customers to interact with the business. When companies develop apps for mobility they first consider developing a mobile app. 

If you look at the mobile market (as per August 2015); 83% of the devices are Android, 14% are Apple and 3% are Windows. 

“The eco-system of the company would have, COPE (corporate-owned personally-enabled) policy, that is when an enterprise provides its employees with mobile computing devices to use in business tasks. And when the employees carry their own devices to be used in the work environment, it’s called BYOD (Bring Your Own Device). These devices can be anything from mobiles, tablets to laptops,” he added. 

Challenges in mobile enterprises

“Firstly, distributing mobile applications is a challenge. Let’s say your company developed an application for iOS or Android – you can’t send it via email or transfer it from a mobile device to another. This is where the ‘Public Store’ concept comes in, just like Google Play (For Android), Apple Store and Windows Store. Once published, the application will be available for download for your employees to install,” he continued.

This application is going to access the data from a Cloud or internal database. The two major issues that arise with mobile apps is Data Security and Application Security. It’s important to protect this company data and the application itself so that an attacker might not abuse it. The other big concern is how to remotely control the device.

“A device can hold a lot of sensitive data that is confidential like tender notices and salary information. Therefore, it can have a high impact in the hands of the wrong person. Losing a mobile phone and malware that sneaks into the phone via applications and data transfers can cause data leakage. That’s not all, Rooting which is the process of removing the security limitations imposed by the operating system vendor can cause a threat as well,” he emphasised.  

How to solve the problem of data security

There are two basic methods to provide security – Device based and Application based. 

“In a device based solution, you control the entire device using a protective fence we call Mobile Device Management (MDM). Here a policy is enforced before allowing access to the corporate data. For instance, this can include a password policy that says, if you leave the phone idling, the screen will be locked within a minute. It can also monitor your location for the device, configure the device, update the OS and patch the device against security loopholes,” Shan underscored. 

“However, there will be a few issues on the usability perspective. Say for example, your phone gets locked very often when trying to contact somebody while driving. The disadvantage of MDM is that there is no granular control of the sensitive data and there can be privacy issues. For instance, the users may have compromising or personal photographs on their devices which may be accessible through company systems.”

Application Security concerns three categories of applications – the default/vendor applications, applications you download from the Public Store and Enterprise applications. 

Further explaining the development of applications, Shan said, “There are six different ways you can develop applications. Responsive Web applications can be rendered through the browser; you don’t have to download the application. Hybrid Web applications have to be downloaded but it has a browser built into the app. Mobile Web is writing an HTML kind of application specific to a browser. Hybrid Native is a different concept, let’s say you write your code in Java Script or C Sharp (C#) and compile the code to Native itself and it’s not a web browser. The code is converted into Native code and you maintain only one source. Native Apps as the name suggests are developed using Android, iOS and likewise. Widgets is where you have HTML pages, Images and Style Sheets etc. bundled into a file, but this is not supported by Android or iOS.”

The next challenge is separating the application and the data and making sure these don’t interact with your regular applications. This technique is called Mobile Virtualisation. 

“Previously, Virtualised OSs were used on the same mobile platform. This didn’t work because like in dual-boot computers you have to shut down one platform to access the other. The other solution was to use a virtual box sort of environment where both platforms will be running parallel. Samsung came up with KNOX container where all applications can be seen on the same screen but you can’t share data between normal applications and applications in the container. The Blackberry came up with the concept called Blackberry Balance (BB) where you can switch between work and personal modes. These however encountered many issues.” 

What are the other ways?

The other mechanism is remote desktop known as ‘Mobile Desktop Virtualisation’. This is basically the delivery of a virtual machine image that runs business applications, to a tablet or smartphone. The problem with this technique is the lack of instant connectivity. 

“It’s also possible to remotely control the application so the application and data is in the device itself but in a container (containerised). When an employee quits the job, all you got to do is to delete the container. The enterprise has control only over that container and the other data of the user goes untouched.”

Another approach is to provide an application that connects to the server and emulate the interface so that application or the data doesn’t reside in the mobile device. The third approach is the Mobile Web application where you write your own applications whether it’s for email or other business functions and allow access through a browser while encrypting the data that resides within the browser.

How to control your data from applications

“Mobile App Management (MAM) is a tool used in enterprise mobility management to control the data inside the application. The frontend is displayed on the mobile and at the backend they have full control of the application – they can login and wipe the data inside the application. Here, only the applications within the devices are managed,” Shan said. 

There are two approaches to application security. 

“MAM SDK approach where a MAM vendor provides developers with a software library that is integrated into their apps in the development. For applications that are already developed, the App Wrapping technique can be used. App wrapping lets enterprises modify and secure third-party apps. This will basically inject some code, a library that reverses your code. This cannot be used for applications from the Store but it’s legal to use it on some downloaded applications to a certain extent. Moreover, the enterprise can use their own App Store to be more secure,” he added. 

Strategy to adopt mobility

Developing applications that use corporate data is really not enterprise mobility. The first step in achieving mobility is to prepare the workforce. There should be a team who has been properly trained and have experience in mobile technology and security. Certification is a great way to determine the effectiveness of employees’ ability to meet business demands and expectations. 

Once you have your team, you can use any enterprise mobility management tool. This will allow the enterprise to have control of the devices and apps. However, the tool needs to be open-source to ensure that it doesn’t leak your data. There are mobility management companies to which you can subscribe and tools that you can purchase and implement in-house – but in this case, you don’t know what is really happening to your data. 

The next step is to decide whether you’re going to have a MDM (Mobile Device Management) or MAM (Mobile App Management) within the organisation. Also, whether to have a BYOD policy or COPE policy. If you’re entertaining BYOD then you don’t want to be using MDM because the device is owned by the employee and they might not like to give you control of their device but MAM approach might be more suitable.

Afterwards, you need to consider the strategy on mobile app development. What would be the best approach to suit your business needs? This depends on several factors. 

Say your organisation has only web application developers or the availability of developers is limited, then you should go for a Responsive Web or Hybrid Web approach. If you want to instantly publish the app without going through the publishing process then you might want to go with Responsive Web. If you want to maintain a single codebase then you can deploy Hybrid Native, and likewise.

The next important step is to do threat modelling for mobile application development. Companies rarely do threat modelling for mobile apps but it’s very important. Before you start development, you have to do threat modelling, the other way around is not effective and a waste of time. The areas of concern would be Mobile App Architecture, Mobile Data, Threat Agent Identification, Methods of Attacks and Controls.  The developers can consider the OWASP top ten mobile security threats as a guideline.

Final step is to conduct a security code review on the application, followed by penetration testing and fuzz testing – these are software testing techniques used to discover coding errors and security loopholes in software applications.  

Shan concluded the session by highlighting that mobile security needs to be proactive and the authentication needs to be context-aware. 

There’s no way anyone can guarantee 100% security for mobile apps but all you can do is make it harder to break.