When it comes to addressing application security, at Kimberly-Clark we straight out assume that all mobile devices are insecure, all of our applications can be compromised, and people can capture the data moving to and from our apps. We're not paranoid. We just make these central security assumptions for all of our mobile apps. I think of it as insurance in a mobile world.
Given those assumptions, we're always looking for new ways to harden the security of our mobile apps against the most common security failures, and you should too. To do this, we focus on five key areas:
The mobile device
The application
Authentication
Development
Data at rest and in transit
Here are the approaches my team uses within each area, and how you can use our best practices to protect sensitive enterprise data used with your mobile apps.
1. Harden the endpoint: Mobile device management
Mobile security starts with the device, and each mobile operating system—from iOS to Android—requires a different approach for hardening the device itself.
Apple’s iOS-powered devices, the iPad and iPhone, are the most dominant devices in the enterprise. Apple has strict guidelines for what can and cannot be controlled through policy enforcement practices. Apple's policy enforcement lets you create rules such as restricting whether or not the user can install apps on a device. The enterprise is becoming more important to Apple. That said, there are still aspects of device security on which Apple refuses to bend. For example, upgrades to the latest release of an iOS update are not restricted by Apple. This makes it expensive when Apple decides to deprecate a class in iOS, forcing an update to an app.
The most effective way to manage iOS devices is with a mobile device management (MDM) or enterprise mobile management (EMM) product or service from vendors such as MobileIron, AirWatch, MaaS360, and Good Technology. The Microsoft Exchange ActiveSync protocol is another policy management tool that works well for managing devices brought in under a corporate bring-your-own-device program. While not as powerful as MobileIron, Exchange ActiveSync is cheaper and easier to manage.
The relatively low price of Android devices makes them critical to global companies. It is hard to argue that the business should buy an iPhone in India that costs up to $1,600 rather than a $35 Android device. For this reason, my company has been partnering with Google to deploy Android. The version of Android you should be using in the enterprise is Android for Work (A4W), which is part of Android 6.0 Marshmallow. A4W encrypts the device and separates personal and professional apps into two different, managed profiles. A4W is very secure, and it is the combination of the devices, the mobile OS, and MDM that provides the first level of security for your apps.
2. Wrapping your apps: A secure sandbox
Securely deploying the apps is paramount, and "app wrapping" is a quick, easy method for doing so. App wrapping segments the app from the rest of the device by encapsulating it in a miniature, managed environment. All of the leading MDM providers support app wrapping, and with a few setting parameters—and no coding—you can segment your apps. It's easy.
There are, however, a few issues with the app-wrapping approach. Sharing authentication credentials cannot be done within an app wrapper, and while Apple supports app wrapping in iOS, it does not encourage companies to use it. App wrapping is therefore best used to address business problems for specific apps.
3. App authentication: Think single sign-on
Who are you? That's a seemingly simple question, but getting the right answer is complex if you're an app. The digital world makes it hard to know who is who. One fast and easy way to authenticate users is through a combination of MDM/EMM, virtual private network, and SAML (Security Assertion Markup Language) to create a single sign-on (SSO). The method is easy to implement if your organization already uses SSO.
Unfortunately, this is not a very usable solution for mobile users. A more practical approach is to use OAuth 2.0. Vendors supporting OAuth 2.0 with two-factor authentication include Azure AD, Ping, and Okta. Two-factor authentication asks for a user ID and password (something you know) and a second validation, such as a PIN generated on your mobile phone (something you have) or a fingerprint (something you are).
Android, iOS, Windows, and the latest web browsers all support OAuth 2.0 services. No developer should be using any other form of authentication.
4. Development-level security: Hardening the OS
The fourth level of security you should use to harden mobility targets the OS, and here you have lots of options. Apple has, from day one, done a good job enforcing security in iOS. Over the years with iPads, WatchOS, and tvOS (yes, we use all of them at Kimberly-Clark), the foundation for solid enterprise apps is Apple's iOS. The data in an app can be completely encapsulated in its space within the OS.
The tools we use for iOS security include:
Quarterly reviews of Apple’s security guide
Regular reviews of the latest code samples at Apple's developer site
Static code analysis using a commercial tool
For iOS, reviewing security guidelines with your security team is important. Fortunately, Apple has become more friendly toward the enterprise when it comes to security needs.
Google is a late player in the enterprise space. The compelling reason to use Google’s tools, including Android and its APIs, is that they are easy to adopt and cheap to use. For APIs such as Google Maps, Google has developed significant security models, and Android for Work encrypts the side of the Android phone used by the enterprise and leaves the personal side alone. That's a huge win for the enterprise.
5. Data in transit and at rest: It's all about APIs
Finally, you need to ensure that you apply security to APIs. At Kimberly-Clark, we use APIs to manage data and business logic, and you can use them for web, Android, iOS, and Windows development. Indeed, APIs are the only useful tool you can use in the mobile world that is arguably future-proof.
APIs are the crown jewels for our work, so data, both in transit and at rest, must be secure. Data in transit is easier to manage: We use SSL with 256-bit encryption. Data at rest is more complicated. It has two endpoints you must secure: the origin of the data and the device itself.
Each API should require app-level authentication. Always validate who is using the services, and where possible, limit sensitive data to memory. Memory data can be wiped easily. Refer to encryption on the device to ensure that your data is protected.
Just a start
This list is by no means exhaustive: There are many other methods for hardening the security of enterprise apps, but these five steps form a framework that you can apply in any company, regardless of size. We choose to leverage these approaches as our central strategy. What are yours?
Image credit: Flickr
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
