Securing 3rd Party Mobile Apps: A New IT Challenge

Posted on September 24, 2014

Everyone in IT knows about BYOD " bring your own (mobile) device. But does your company have a policy and procedure in place to deal with BYOA? Employee use of third-party cloud application services and consumer applications in the workplace is one of the biggest challenges facing IT right now.

According to a recent report from Gartner, this is trend represents such a challenge because more than 75% of mobile apps fail basic security tests. Employees download from app stores and use mobile apps that can access enterprise assets or perform business functions, and many of these apps have little or no security assurances. Well-meaning employees can easily expose themselves to cyberattacks and violations of enterprise security policies.

"Enterprises that embrace mobile computing and bring your own device (BYOD) strategies are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance," said Dionisio Zumerle, principal research analyst at Gartner. "Most enterprises are inexperienced in mobile application security. Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security."

The BYOA Challenge

Like it or not, when an employee brings a personally-owned mobile device to work, they're also bringing the apps to work. Among the most popular consumer apps being used for business are Dropbox, iCloud and Google Docs. It's all part of the consumerization of IT, and there are some very real benefits " so companies may not want to rush to ban employees from using these apps. One of the arguments for a light touch is, simply, employee satisfaction. "It's my phone/tablet " don't try to tell me what apps I can put on it," users often say, and they have a point. And there is also little doubt that productivity improves when employees have access to the tools they need to do their job " even if those tools are consumer apps being used in the absence of secure, company-provided apps.

The challenge, however, is security. As employee-owned apps and devices encroach on the corporate network, company data stored in a third-party cloud provider's environment is no longer under IT control. If there is a data breach in the cloud that affects company data stored there by an employee, companies can find themselves liable for regulatory penalties and civil litigation, even though the company had no part in placing the data into the breached environment. Worse, the company may not even be notified about the breach if the employee who is notified is reluctant to admit to violating company policy.

Dealing with BYOA Security

The first step in dealing with BYOA security is to establish an acceptable use policy (AUP) for third-party software, and regularly remind employees of their responsibility for adhering to the policy. TechTarget says that the AUP should cover:

"Today, more than 90% of enterprises use third-party commercial applications for their mobile BYOD strategies, and this is where current major application security testing efforts should be applied," said Gartner analyst Zumerle. "App stores are filled with applications that mostly prove their advertised usefulness. Nevertheless, enterprises and individuals should not use them without paying attention to their security. They should download and use only those applications that have successfully passed security tests conducted by specialized application security testing vendors."

Gartner predicts that by 2017, the focus of endpoint breaches will shift to tablets and smartphones. Zumerle says that there are already three attacks to mobile devices for every attack aimed at a desktop. The security features that mobile devices offer today will not suffice to keep breaches to a minimum.  Gartner recommends that enterprises focus on data protection on mobile devices through usable and efficient solutions, such as application containment (via wrapping, software development kits or hardening).

Through 2017, Gartner predicts that 75% of mobile security breaches will be the result of mobile application misconfigurations, rather than the outcome of deeply technical attacks on mobile devices. A classic example of misconfiguration is the misuse of personal cloud service through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware for the vast majority.

EMM Rises to the Challenge

Jared Hansen, CEO of secure mobile printing leader Breezy, notes that the leading enterprise mobility management (EMM) vendors are rising to the challenge of helping companies deal with BYOA security questions. "Our secure mobile printing applications, which feature on-device encryption, are integrated with all of the top EMM solutions," Hansen says. "So I have seen first-hand how well companies like Good Technology, MobileIron, AirWatch, Citrix, and IBM's Fiberlink MaaS3600 monitor and manage these risks."

One example of how EMM vendors are rising to the challenge is the fact that most of them had their iOS8 versions ready to go on the day that the first new iPhone 6 products were delivered to consumers, Hansen says. Breezy, Good, and MobileIron were all iOS8 ready on day one. MobileIron published a helpful white paper explaining the benefits and new features in iOS8, and Good created a concise list of the new enterprise-ready tools available in the new Apple iPhone and iPad operating system.

Another example, Hansen points out, is how EMM solutions help companies deal with lost mobile devices. "If you've never lost a cell phone, then you're a rarity," he says. Bankrate says that 113 cellphones are lost or stolen every minute in the U.S., and on average, an individual misplaces their phone about once a year.

Overall, more than $7 million worth of smartphones are lost daily. But the cost of replacing a phone can pale in comparison to the financial risk, should your phone find its way into the hands of a hacker. Most people's smartphones hold a wealth of information about them, but 62% of smartphone owners don't password-protect their devices.

In its security framework and evaluator's checklist, Citrix says that the ability to remotely wipe company data from a lost mobile device is one of the 10 "must-have" features for EMM. Quoting enterprise security expert Jack Gold, Citrix says that companies deal with the loss of three to four times as many smartphones as notebooks each year. At an estimated cost of more than $250 per lost record, a data breach can be expensive. In fact, some research estimates the cost of a mobile breach at more than $400,000 for an enterprise and more than $100,000 for a small business, and in some cases these costs can range into the millions.

"Employee-owned devices, by their nature, are going to contain apps that a company doesn't manage, and probably hasn't tested,? Hansen says. ?So the focus on BYOA risk and security is essential."

For more information about how Breezy's secure mobile printing app with on-device encryption helps to protect company data, watch this video from Breezy, or download The Definitive Guide to Mobile Printing, a free Breezy eBook. For more information about how Breezy is integrated with leading enterprise mobility management (EMM) products, check out the data sheets here.

Easy to deploy and manage

Customers report that Breezy installations are among the easiest they’ve ever seen for an enterprise product.