Modified on by Christian Karasiewicz
This blog post is contributed by Jonathan Marshall, a WebSphere Technical Professional.
We all know that security is important. In mobile application development, breaches are costly both financially and in terms of the trust of consumers and employees.
There are many studies that illustrate the challenge and cost of security flaws:
According to data from Arxan Technologies, 100 percent of the top 100 paid apps on Google Play have malicious variants. The same is true of 92 percent of the top 100 paid iOS apps.
The average cost of a data breach is $3.5 million from lawsuits, loss of customer trust and damage to brand. The excellent IBM X-force Threat Intelligence report describes this another way: each lost record costs $136.
Fixing bugs in production is around 30 times more expensive than fixing them in development.
What can we do about this? The goal of mobile development is to get faster, to become more iterative and to increase agility, while maintaining or even reducing costs.
Here is the good news. While mobile development remains a fairly new area, still growing in maturity, there are already some well-established practices that can be applied to mobile to build security into your mobile solution from the start.
1. Automate application scanning
The key to maintaining rapid development cycles is to automate the scanning of the mobile application as part of development builds. That way security testing isn’t left to the end of the development phase but is integral to the iterative development and testing cycle. This increases the speed of development, reduces the cost of fixing issues and improves the security testing coverage.
Scanning tools, such as IBM Security AppScan Source, provide great coverage of security issues, such as the Open Web Application Security Project, OWASP. Importantly, these tools are also maintained and kept up to date with new security issues on a regular basis. It isn’t left to the developer to become an expert in each and every vulnerability as they are discovered.
2. Use proven architectures
All engaging mobile applications need to have access to real data and perform real transactions. This requires secure integration to cloud and on-premises systems. The top OWASP mobile risk is defined as “weak server-side controls.” This is a collection of the well-known web application security issues.
How do we provide secure access to this data? There is already a well-known deployment pattern, and we can use a lot of the learning that we have obtained over recent years with application servers and other middleware.
Don’t build a custom mobile gateway. Consider the security requirements for your solution, and use existing middleware that is hardened and proven.
One of the benefits that mobile has over traditional web security is that it can provide additional context to the request for data. We know what network, what location, whether the device is compromised (using IBM Security Trusteer Mobile SDK) and so on. This can provide input into our authorization decision by determining a risk factor. All this provides a great assurance of a secure infrastructure.
3. Encrypt sensitive data
It is also important to consider the security of the data. Gone are the days when security remains safe and secure behind enterprise firewalls. Data is going mobile, and it needs to be handled accordingly. Combine that with the fact that the mobile device and the mobile application can be compromised, and you can see how important it is to make sure that the data remains secure.
Only store the data you absolutely need. Don’t keep anything that is too sensitive, such as credit card numbers, on your device. Consider writing purging algorithms that periodically tidy up the data held offline.
Encrypt sensitive data when it does need to be stored. Technologies such as IBM MobileFirst Platform can provide an encrypted native database called JSONStore, which has strong encryption. This addresses the second highest risk identified by OWASP, “insecure data storage.”
As I mentioned, a lot of standards, styles and techniques for developing mobile applications are still maturing, but that doesn’t mean that security must be immature. There are great platforms and technologies available that can take the burden of building and maintaining secure mobile applications, mobile infrastructures and data away from the developer.
Do you have tips or techniques that you use to build good security into your development processes? Leave comments here, or contact me on Twitter at @jmarshall1.
Modified on by Christian Karasiewicz
This blog post is contributed by Jungun Cho, a member of the IBM Global Technology Services Workplace Architecture team within the IBM Mobility Center of Competency.
In part 1 of this series I discussed the development of mobile strategy, policy and education to help companies become a successful mobile enterprise. Now I want to talk about another very important issue: security.
Most companies approach mobile security with a focus on the device, whereas IBM thinks that all three areas—devices and operating systems (OS), network or back office, mobile apps—should be comprehensively secured for sufficient security. Let's examine each area.
Device and OS security
When I’ve showcased IBM to the customer, I've often found that many of them still tend to approach mobile security from the same perspective as PC security. It is true that we need to manage mobile security to the same level; however, the security risk of mobile devices is different from that of PCs.
Mobile device risk overview[/caption] As shown in the above figure, most security risks for mobile devices are not caused by malware but by loss, theft and seizure. Therefore you have two options: (1) Don’t store sensitive information in your mobile devices, and use Virtual Desktop Infrastructure (VDI) instead. (2) If you choose to store sensitive information, appropriate security policies should be established for device registration, corporate compliance, information wipe, device lock, encryption and so on.
For instance, a certain company I know found that as many as 5 percent of their employees’ mobile phones are reported to have been lost, 40 percent of which were permanently lost. Nobody knows what kind of damage could result if the company's confidential information was stored on those lost mobiles.
As for OS security, a policy needs to be set in place that only allows devices with properly secured OS versions to be connected to the corporate network. A corporate guideline for a minimum required OS version should be provided, as mobile operating systems are continuously patched and updated with security patches just like those for PC. However, security of smart devices is much less developed than that of PCs. Mobile phone providers need to strengthen security features for enterprise users.
To mitigate device security risk, mobile device management (MDM) should be used; it is the most basic of basics and generally regarded as a must. However, implementing an MDM solution does not necessarily guarantee mobile security. It is the CIO organization's task to determine how to optimize the settings of this tool.
Device-level configurations that can be enforced by MDM are:
Check password (minimum length, alphanumeric, auto-wipe after incorrect password type, forced password change frequency, automatic lock after certain period of inactivity and so on)
Remote wipe when lost
Check anti-malware installation
Check OS version or device rooting/jailbreaking
Storage encryption check (backup image encryption for iOS device)
Prevent browser pop-up windows
Network and back office security
The second security area is network and back office.
In the long term, IBM plans to allow access to IBM systems regardless of OS or ownership of devices and is designing its security system based on this vision. This is a system that only allows devices confirmed secure to access the in-house network through internal WiFi or external virtual private network (VPN). In this system, mobile users and devices should be identified first to be allowed or denied access.
Many considerations need to be put into VPN implementation. You can categorize users and then grant higher access privileges to power users (and raise the device security level instead); or allow access per application by means of reverse proxy (and lower the device security level instead). Mobile devices mainly use wireless communication, so the traffic might be intercepted unless proper protection is provided by encryption. This makes the proper choice of VPN solution even more important.
Mobile app security
The third security area is mobile apps. Applications are developed by humans, so the level of security applied during application coding can vary greatly, unless proper management tools are used. For this end, you must identify an application’s vulnerabilities and select proper development tools to handle them and ensure consistent updates of the applications.
In addition, the enterprise app store should be properly managed too. Unlike other applications, mobile applications can be freely developed and distributed by anyone, which also means that malicious apps can be easily distributed. I therefore recommend that you create an enterprise app store where you can download only authorized enterprise apps and easily update those apps.
"High-level security” cannot be achieved by whatever security tools you might use to care for the above three security areas. Mobile devices are portable, so their confidential data can be exposed to anyone at any time, and no security tool can completely prevent such information exposure. Security training for users is therefore indispensable.
Implementing a secure environment with limited in-house security resources is not easy unless done by a specialized IT company, as it requires lots of testing and research. I recommend that companies get consulting service on mobile security. IBM can recommend an optimized security level for your enterprise based upon its successful security consulting experiences, ranging from internal customers to various industries including finance, health care and so on.
Smart devices are always carried with the user, which requires consideration for user's convenience and privacy. While users focus on convenience, companies have to balance between security cost and security level. Determining an appropriate security level for your environment while considering the cost is the trickiest problem.
What are your experiences with security in a mobile enterprise? Share your comments below, and please stay tuned for the next installment in my series, “How to be a successful mobile enterprise.”
Junggun Cho helps oversee security, network and mobility areas in Korea BT/IT. She is also an IBM Redbooks thought leader. Follow Junggun on Twitter at @junggun_cho.
This blog post is contributed by Nguyen Van Duy, an IBM Associate Certified IT Architect with GTS Vietnam, working for GBS
Innovation Center as the development team leader in Vietnam.
When you’re developing interactive applications with simultaneous
editing ability (for example, a virtual collaborative whiteboard, chat,
online game or real-time reporting system over the web), using the
traditional loosely coupled HTTP request/response web model is obviously
not an efficient way to go. That approach is simply not designed for a
real-time model. We need a more lightweight protocol that can provide a
full-duplex communication channel between endpoints of the system to
achieve as near a real-time experience as possible.
This need is becoming critical as such applications are deployed and
run in the mobile world, where the resources for staying connected are
sometimes very limited: limited bandwidth, limited memory, lots of
A number of creative approaches—work-arounds—aiming to create a
real-time feeling for users have been implemented (for example, Ajax,
Comet). So far these have served the connected world well by bringing
together good user experience with the ability to shorten the time in
which data is being sent between client and server. But these approaches
still have several limitations from a resource-consumption perspective:
a huge redundancy of network traffic, server demands and the
complication of maintaining two HTTP connections between endpoints (one
for the upstream and another for the downstream).
Using WebSockets is a big step forward in the effort to create an
engaging, interactive user experience. It could provide capabilities
such as real bidirectional communication, low latency, significant
reduction of overhead and dramatically reduced complexity of
From a security standpoint, though, some people are afraid of using
WebSockets due to some risks that would create vulnerabilities.
WebSockets’ application programming interface (API) allows establishing
WebSockets connections across domains without the user’s
acknowledgement, and requests are sent without notifying the user. This
into the victim’s client application (the user agent; for example,
browser, mobile app and so forth) to establish a WebSockets connection
to an arbitrary target. The connection can then be utilized by the
attacker for malicious purposes, such as:Remote shell, web-based botnet, port scanning
Cross-site scripting (XSS) vulnerability has been common in web
technology, but utilizing WebSockets introduces some threats that would
give an attacker more power to control the victims—assuming that the
user somehow visits a malicious service, or a website that has XSS
vulnerability exploited, from the user agent. Once loaded in the user
easily establish a WebSockets connection to a malicious server and
create a remote shell to utilize the victims for malicious purposes: a
Distributed Denial of Service (DDoS) attack (with lots of victims),
access to the company’s intranet services for information, port scanning
or using the victim’s user agent as a proxy, a springboard for other
Friendship between WebSockets and proxies, firewalls
In November 2010, a serious security issue involving WebSockets was
reported. WebSockets was still not adopted widely enough, so some
transparent proxies didn’t correctly understand the HTTP upgrade
mechanism being used for the handshaking of WebSockets and thus can
potentially allow a cache poisoning attack. Frame-masking was added to
avoid that vulnerability, but in turn the frame-masking and other
natural lightweight features of the protocol (lack of metadata like HTTP
header, content length) challenge the virus and malware scanning tools
in analyzing the data patterns to detect malicious content in a
malicious usage of WebSockets channel.
The vulnerabilities are mostly not specific to WebSockets API or the
protocol, but the freedom of the new data exchange model opens up more
threats and more attention is needed to secure the communication. Best
practices for traditional web programming should still be applied for
- Maximize the validation on both client and server side against the
received input. Client and server basically should not trust each other
- Maximize the use of Transport Layer Security (TLS) encryption to achieve integrity.
- Carefully implement authentication and session management between endpoints.
When you are struggling with the trade-off between security and
performance while deciding whether or not to use WebSockets, it might be
a good choice to utilize a well-known solution for your particular
need. One of the proposals to deploy your application that uses
WebSockets is to not make it a mobile web application that runs on web
browsers of the users’ mobile devices, but instead to use an alternative
way—to build a hybrid mobile application and stick your client
application with a proven server-side solution, for example, Node.JS
(and Socket.IO, or Worlize). IBM Worklight
offers you a way to easily build a hybrid mobile application (and much
more). You can basically build your app in a web-based code such as
eventually run on top of a thin native container that utilizes the
device’s webkit engine, instead of using the mobile browser itself (you
need some work-around for dealing with Android though, because
unfortunately WebSockets has not been supported in its embedded webkit
Be well aware of the security vulnerabilities of using WebSockets.
Dealing with them properly will help you to build a secure, interactive
mobile application and enjoy the near real-time experience on your
mobile devices in a collaborative world where time is precious and
conserving resources is critical.
Nguyen Van Duy
is an IBM Associate Certified IT Architect with GTS Vietnam, working for GBS Innovation Center as the development team leader in Vietnam. He is also an IBM Redbooks thought leader. Follow Nguyen on Twitter at @duyhat.
This blog post is contributed by Declan McNamara, a Workplace Mobility Architect for IBM Mobile Enterprise Services.
The increasing adoption of Bring Your Own Device (BYOD) in all sectors of the market has the potential to cause conflict between corporate security
and employees. On the one side, employees are keenly interested in
using their own devices to access their work email or other data. On the
other side, the enterprise is trying to ensure that all corporate data
It is an undeniable fact that mobile devices by their very nature are
less secure than traditional computers or notebooks, and they are much
more likely to be lost or stolen. Security is therefore a key element of
any BYOD program. Balanced with that, however, is the fact that the
mobile device, especially in BYOD, is not just for email or corporate
data; it is also the user’s camera, social media device, music player,
satellite navigation system, games console and much more. The challenge
is to protect the corporate data without negatively impacting user experience to the degree that they no longer wish to partake in the BYOD program at all.
The following are some of the areas to consider when balancing these seemingly conflicting requirements:
Passcodes are the primary security measure and will typically be
required on any device being used to access corporate email or data.
Simple PIN-based passcodes usually aren’t sufficient, so we are going to
have to live with the complex alphanumeric type until a better system
becomes mainstream (most likely some form of reliable biometric).
However, one concession that can be made is the “grace period” that is
typically supported on all mobile devices. This is the period after the
device locks during which it can be unlocked without requiring the
passcode. A typical setting for this would be up to a maximum of 15
The majority of devices now support some level of restricting native
features of the device such as camera, app store and so on. While there
are certainly valid use cases for “locking down” devices (for example,
when they are used as a shared device or perhaps for one specific
purpose, like a customer-facing app in retail), it is generally not the
best practice to lock down or remove features from a device in the BYOD
model. A better approach would be specific blacklisting of apps that are
considered a risk to corporate security. If we use more advanced device
management software, it may be possible to impose restrictions using
geofencing techniques so that, for example, the camera may be disabled
while within a secure work facility.
The use of containerization is certainly a strategy to consider, as
it enables the personal data and the corporate data to be separated and
secured to different levels. In certain industries strict rules apply in
terms of encryption, audit tracking and so forth, and a secure email
container may be the only option. The downside of this is that it may
negatively impact the native device experience. The trend in the market,
as demonstrated by the recent Samsung KNOX
announcement for Android, is a dual persona on the device; this is
containerization at a device level where email, apps and so on can be
installed in a corporate secured area on the device while personal
email, apps, data and the like are installed in the other persona of the
IBM is a recognized leader in providing managed mobility services, and as part of its Mobile Enterprise Services IBM can help you in defining your BYOD policies as well as managing your devices with flexible, subscription-based models.
How have corporate security policies impacted your use of your BYOD device? I’d love to hear your thoughts in the comments, or connect with me on Twitter @declan_mcnamara.
Declan McNamara is a Workplace Mobility Architect for IBM Mobile Enterprise Services. He is also an IBM Redbooks thought leader. Follow Declan on Twitter at @declan_mcnamara.
This blog post is contributed by David Judge, Technical Solutions Manager for Workplace and Mobile Enterprise Services.
Mobile strategy can be a complicated arena,
particularly when you actually begin to contemplate every element of the
organization that may be affected today or, more importantly, in the
future. Mobile is everywhere, and for the enterprise this obvious
principle has become very apparent. Strategy now spans well beyond
planning a Blackberry infrastructure for mobile email or a point
solution for enabling a mobile application. Mobile strategy
is now all of this and much more—from how you will maintain or
transition your Blackberry infrastructure, to satisfying your mobile
application requirements, to providing remote worker solutions
supporting multiple devices and multiple operating systems. It can be an
absolute minefield, and on top of this the expeditious mobile trends,
technologies and relative solutions are constantly changing! Indeed the
considerations for developing a mobile strategy are many, but here are
six that may apply to yours in 2013:
- Exercise control. It has been impossible to ignore
the Bring Your Own Device (BYOD) trend. Many organizations will be clear
on their BYOD policies and most likely have implemented some form of
control in terms of a mobile device management solution.
For those that have not and are considering the relative pros and cons,
you must understand that it is not just a technology choice. Deploying
the correct mix of HR policy, legal policy, technical control and
security is key to the successful adoption of any BYOD initiative.
- Mobile device management (MDM) is changing.
Implementing some form of traditional management of mobile device
security policies is an obvious necessity and is easily provided by any
of the mainstream MDM vendors. MDM is evolving and providing
capabilities far beyond policy management as mobile-focused vendors from
all disciplines (not just MDM) begin to take a piece of the mobile application management (MAM)
pie. This additional functionality typically supports tailored
application personas, enterprise application stores, integration and
control of document-sharing solutions and application wrappers that
control encryption, access privileges and secure data transmission.
- Solutions under lock and key. The security risks
posed by the implementation of mobile technology are indeed significant,
and careful thought and planning are needed to make sure all loopholes
are identified and secured. Mobile solution security comes in many forms, and organizations must give specific thought to:
If it moves, it’s mobile! Although
this can be true of any inanimate object in the world, for the
enterprise I am referring to the blurring line between desktop and
mobile strategy. The fact is, laptops running Windows (or any
traditional desktop operating system) are still mobile devices and must
be considered under the same guise as the iOS, Android and other
“mobile” operating systems you manage. This convergence of mobile and
desktop strategy is in answer to the increasing user requirement for
corporate network access on any device, anywhere, anytime (within reason
of course). The foundations of this unified approach can be facilitated
through technologies including desktop virtualization and traditional
desktop management tools such as IBM Endpoint Manager that now incorporate the ability to manage mobile and desktop operating systems.What’s new? The answer to this
question will probably introduce hundreds of new technologies and
three-letter acronyms that we need to learn alongside additional
operating system updates for iOS, Android and Windows Phone. On top of
this, we’ll see significant releases in Blackberry 10 and Windows
Embedded 8 in 2013. Whether you choose to utilize these technologies or
not is likely a consideration dependent on your incumbent technology.
Blackberry 10 will bring a new user experience, containerization in an
enhanced version of Blackberry Balance and the ability to manage
multiple mobile operating systems from the Blackberry Enterprise Server.
Windows Embedded 8 will begin to appear on ruggedized handhelds,
creating another platform for future task worker mobile application
solutions.See the bigger picture.Over the
years it has been all too easy to only deliver point solutions for
mobile applications that silo data, and then to eventually require some
kind of horrible integration project to try and report on the disparate
data stores that these types of solutions create. Of course, as mobile
applications grow within the enterprise, so too does the amount of data
and the need to try to aggregate that data into a “single pane of glass”
that enterprises so prevalently desire. Enter big data, analytics and the mobile application platform.
These three concepts are not just buzzwords; they represent
opportunities for the enterprise to finally take control of its
cross-platform mobile application development and data. This data can
then be used to support and pioneer any number of multilevel strategies
and key business initiatives.
- Providing solutions for secure remote enterprise network access from a variety of operating system platforms.
- Moving beyond device-level IPSec VPN for secure mobile device
communications, for example; application level SSL VPN or “VPN like”
- On-device endpoint protection including antimalware, antivirus
detection and on-device firewall (specifically if you are dealing with
- Device containerization in terms of only providing access to
corporate data from within secure containers installed on the mobile
device to provide data leakage prevention.
The considerations for a mobile strategy are always going to be relative to the challenges and opportunities you encounter within your enterprise. What is top priority for one is less so for another but the key is to make sure a consummate road map is constructed. IBM MobileFirst is ideally placed to help construct your strategy with a blend of services such as mobile infrastructure strategy and planning which can underpin the essence of your future mobile initiatives.
David Judge is a Technical Solutions Manager for Workplace and Mobile Enterprise Services and an IBM Redbooks Thought Leader. Follow David Judge on Twitter at @themobilejudge.
Join host Ajit Jaokar
for an IBM mobile application hackathon at Mobile World Congress 2013
For those of you who haven't met Ajit, he brings a wealth of expertise and enthusiasm to this hackathon due to his background in research, academia and technology. This hackathon
presents a unique opportunity to interact with IBM Worklight experts,
and experiment with advanced capabilities of the IBM Worklight mobile application development platform
About the IBM Mobile Hackthon at Mobile World Conference 2013
- What: IBM Mobile Hackathon at Mobile World Congress hosted by Ajit Jaokar
- When: Monday, February 25. 3:00 - 5:00 p.m. CET
- Where: Hall 8, Theater D
Just bring your laptop pre-loaded with Worklight
and your knowledge to build a show worthy app in 2 hours. We'll provide a brief tutorial of Worklight
, Subject matter experts will also be on hand to help you navigate the interface and even fix code errors. Snacks and caffeine will also be provided to hackathon participants to keep you going.
From 5:00 - 7:00 pm, stick around for IBM's technical conference to learn about our latest announcements and capabilities in the mobile space including testing, dev ops, analytics, management and security. The session will end with Ajit showing off your apps to the hundreds of attendees!
Don't wait as we only have a few spots left.Register for the hackathon
This blog post is contributed by Chris Pepin, Mobile Offering Manager and Evangelist.
According to the 2012 IBM Tech Trends study,
the top barrier to enterprise adoption of mobile devices (for example,
smartphones and tablets) is security. Specific concerns include device
loss and theft, data leakage and malware. While technology is important,
it’s only a piece of the puzzle. In this post, we’ll discuss the role
of strategy, policy, technology and education in addressing mobile security.
It starts with a strategy. What’s the business problem I’m trying to
solve with mobile? Who’s my audience? What types of devices will they be
using, and what device features will be used? How will users access my
application? What are my success criteria? Having clear and concise
answers to these questions will make it easier to apply corporate policy
in the next step.
Every enterprise needs a written mobile policy with the terms and
conditions clearly spelled out. This is particularly important for use
of mobile devices inside the company. If the company already has a
personal computer policy, this is a great starting point. Key questions
to be addressed in the policy include: What devices, operating systems
and apps are supported? Do I need a device passcode? Is there a
requirement for remote wipe of enterprise data in the event the device
is lost, stolen or the employee leaves the company? What applications
are allowed to be used? What are the data privacy requirements? What’s
the Bring Your Own Device (BYOD) policy? What’s the policy for employee
reimbursement for mobile expenses? You’ll want to include IT, human
resources, legal, procurement and reimbursement in the discussion.
Technology implements, monitors and enforces corporate policy.
Specific technologies includes endpoint management, encryption,
containerization, network access (for example, WiFi, VPN), anti-malware
and authentication—just to name a few. In addition, the mobile
application architecture (native, web, hybrid, virtual) and how it will
be developed, deployed and updated on users’ mobile devices is critical.
Security starts with the user and with building a culture of
security. Regularly educating employees on how to identify cybersecurity
threats, protect corporate and client data, safeguard devices and data,
and practice security incident reporting is critical.
In conclusion, I’ve provided a high-level overview of four aspects to
consider when approaching mobile security. In many ways, security
solutions on smartphones and tablets are immature but are continuing to
improve. While you may be tempted to hold off on embracing mobile until
the market matures, the risk of getting left behind or of facing a
security exposure is very real.
Chris Pepin is a Mobile Offering Manager and Evangelist and an IBM Redbooks Thought Leader. Follow Chris Pepin on Twitter at @chrispepin.