Number 5 painted on asphalt

5 mobile security issues that should worry every developer in 2017

In 2016 mobile has moved forward aggressively to become the primary medium for engagement for consumers, globally.  But this year has also seen a huge number of security risks: Apple reacted to its first major safety issue with Xcode (the vulnerability is called XcodeGhost), and a denial-of-service attack brought most of the Internet to its knees last fall. This time the attack didn't come from servers and PCs, but from commands sent from millions of infected mobile devices.

So, with more than 2.2 billion mobile users now active worldwide, what will be the significant threats that developers and IT Ops will need to manage in 2017? Here are five you should be tracking.

SANS 2016 State of Application Security Report

1. The threat from cheap, non-upgradeable, Android phones

Android is not going anywhere. Demand for Android will continue to grow in 2017. The primary paths of growth will be in emerging Asian countries such as China and India. Indeed, it is expected that more than 200 million people in the two nations will buy their first mobile device in 2017. The area of rapid growth for Android devices will be in African countries. Cashless payments systems are common practice in Kenya and other nations, and for this reason, it makes sense for cheap Android phones to become familiar.

The key word is “reasonable.” Companies are developing Android devices for less than $25. Today you can go to PriceBaba.com and choose from over 600 phones all under $75 and the cheapest at just $12.54. The challenge with these low-cost phones is that the manufacturers do not design the phones to upgraded. It does not matter if Google comes out with a new version of Android, these cheap phones do not change.

The way my team is addressing this challenge is two-fold:

  • Require that all phones your organization supports use the Google Play App Store and do so exclusively. You have a much lower chance of running a virus or malware app if the app is coming from Google’s own servers. Tell your users not download apps from other Android App Stores that are not run by Google.
  • For enterprise use, choose phones that support Android for Work. This may surprise you, but, many of the less expensive Android phones do support Android for Work. Coupled with a mobile device management or enterprise mobile management software, and you have a secure way to deliver enterprise data to mobile devices.

Android continues to be a center of innovation for Google. Android 7.0, or N (for Nougat), is a big step up for Android, providing a foundation on which Google will build in 2017.

The most significant leap for Android in the next 12 months? Android, which has finally found a place in the enterprise, will be more modular, and easier to manage regardless of the manufacturer of the device on which it runs. Expect to see the first signs that Google is finally solving the problem of Android fragmentation.

2. Android Instant Apps security: Wait for it...

The new implementation of Android Instant Apps is breaking down the wall of mobile apps and mobile web. But, do Instant Apps follow the same breakdown in security that Microsoft's notorious ActiveX Plugins did for the desktop web? What do you need to do to embrace Instant Apps securely? My team is taking a wait and see-approach. Instant Apps were only introduced last June at Google’s I/O conference.

The concept of Instant Apps is devilishly cool: When the user with an Android phone visits a Web site that can run on an app (such as Amazon.com or Netflix) only the bits they need to execute the app will install.

Think of Instant Apps as just-in-time delivery for the mobile world. After you leave the site, the app disappears. The benefit is that app developers can leverage the most useful discoverability of the Web without the need to go to an app store. There are also benefits for emerging markets, where cheap devices mean tiny memory, and users need to swap apps in and out as needed.

The problem, as Google readily admits, is that Instant Apps are currently a half-baked solution. Wait until the end of 2017 to see if Instant Apps receives the security protections needed to be successful on corporate devices before you open the floodgates.

3. Protect yourself from rise in mobile-based cyberattacks

In 2017, mobile devices will be the vector of choice for committing denial-of-service attacks. How do you prevent the same type of attack on your network? The challenge, fortunately, can be solved by implementing an enterprise mobility management system. EMM is an evolution of mobile device management (MDM) software, but it includes additional services, such as cloud-based identity-as-a-service (IDaaS), features, endpoint management, and enhanced security features for the apps you develop.

The rapidly evolving world of cyber warfare means that you must always review and update how you manage mobile devices on your networks.

In organization we plan to establish a global governance group with the mission to understand and implement mobile apps that both improve the productivity of our employees and protect us from malicious attacks. The group takes the view that at attack is going to come, so we must prepare now.

4. The rise in IoT devices means more data, communications, to secure

The Internet of Things, IoT, continues to explode. Sensors and micro-devices are everywhere. How do you secure the data being passed between these devices?

Fortunately, the IoT is not quite a new as everyone would like you to think. Before there was IoT, there were machine-to-machine (M2M) sensors, and before that you had client-server.  The difference is that IoT devices and sensors are much smaller.

The approach my organization is taking to protect ourselves from malicious attacks on our IoT devices is to build in security deep into our systems from the get-go. Don’t use new IoT services; work instead with established, production-grade services, such as AWS for IoT, and Microsoft Azure IoT.

Leverage hardware that's already certified for different security levels, and follow app development best practices that comply with security standards when, for example, using Bluetooth low energy to connect sensors to an app on the user's phone. Do this, and your IoT plans for 2017 can focus on driving solutions rather than fixing security vulnerabilities.

5. Social commerce security: Get professional help

How do you provide secure connectivity for platforms within platforms? Working with Social Commerce is, frankly, a little daunting. On the one hand, you have platforms such as iMessage, released with Apple’s iOS 10. Apple has applied its standard approach to software security to iMessage. Brilliant.

Elsewhere it's the Wild West out there, and WeChat is a prime example. The best advice I can give when dealing with the security implications of social commerce is to work with a partner who has experience in this field.

Stay focused

In 2017, Mobile vendors will continue to build on many of the technologies introduced in 2016. You'll see new technologies such as virtual reality, but these will remain on the fringe of broader adoption for most of the coming year. Don't be distracted.

Your focus, from a security standpoint, should be on the services and hardware vulnerabilities of the 2.2 billion mobile devices out that may be trying to connect to your mobile commerce sites, read your email or gain access to your company's intellectual property.

Image credit: Flickr

SANS 2016 State of Application Security Report
Topics: Mobile