Whitepaper from Mubaloo explains how to ensure corporate apps are not compromised.
Mubaloo is a UK mobile consultancy which consults with businesses to help them develop and deploy applications for the enterprise, with clients including Hargreaves-Lansdown, Haymarket and HP.
A recent whitepaper by the company, ‘Security for Mobile Apps’, outlines the steps that organisations need to take to ensure that their corporate apps remain secure. Mubaloo identifies two main factors in doing so fall under two main headings: securing the devices themselves and securing the app data.
With carelessness, malicious third parties and malicious employees all factors that can jeopardise security, it is important to cover all bases.
An approach to securing the device will of course differ depending on the type of device. A personal device, owned by the end-user, will mean that the enterprise has no control over the device or operating system. In this case, Mubaloo suggests that security features will have to be implemented as part of the app.
The devices that Mubaloo defines as "personal managed" will allow IT some control over the device and the operating system via profiles. Profiles allow the department to dictate certain settings that the device will have to meet in order for an app to work. Examples include VPN settings or passcode enforcement. In extreme circumstances, the IT department might be able to take control of the device, but this is likely to meet with hostility from the users.
"A balance needs to be found between having enough control to protect corporate data and not taking liberties with the user’s device."
Meanwhile, with company-owned devices, Mubaloo notes that the company will have full control over what is done with them. This leaves a choice between adopting mobile app management (MAM) and mobile device management (MDM). MAM is more suited to organisations operating a BYOD policy, as IT can control the use of corporate apps without infringing on the device-owner’s use of the device. MDM is more applicable in a situation where the enterprise has issued the device.
Mubaloo elaborates on different methods of controlling access. When it comes to user authentication, the paper suggests that "mobile apps and the servers they communicate with should be authenticated using a stateless, token based authentication model." The stateless model, which stops any user state from being stored, requires each individual request by the client to be authenticated.
This authentication process can be performed through two different types of token, which are sent in the header of every request where authentication is required. Registration tokens are created and stored for every new user that joins a database, while authentication tokens are generated whenever the user logs into the app. Mubaloo suggests that "tokens should be generated on the server using an acceptable encryption algorithm and not on the device."
Mubaloo’s recommended approach is as follows:
"Any user wishing to use the mobile app, will be required to log in via the desktop portal first and generate a one time login code (2 factor auth). This code will be time limited and will be invalidated once the time has elapsed."
The report concludes: "Mobile applications are inherently more secure than desktop applications due to sandboxing; the mobile operating systems have not copied the mistakes of their desktop predecessors. However data caching on devices throws up privacy and security concerns we did not previously encounter in the web world.
"Ultimately, it’s all about balance. You need to find the right balance between what works for you from a data security perspective and what your users will accept from an access perspective, so make sure the right people are involved in the project. Do not leave IT or security out in the cold in favour of UX and do not let security run riot over the UX."