Personal and enterprise computing landscapes are changing, and software ecosystems are changing with them. Mobile phones and tablets outsold conventional desktop and notebook computers last year and continue to expand in terms of footprint and functionality. These rapid mobile computing device sales are driving increased rates of app downloads. Market predictions for mobile app downloads are expected to be well over 200 billion per year by 2017, according to ABI Research. It is clear that mobile apps across multiple platforms are making steady and dramatic inroads into the enterprise, with iOS leading adoption rates.
As a result of this strong mobile adoption, app developers who could once simply focus on application source code reviews and web and desktop-centric security reviews, are now seeing the need to significantly expand their security requirements scope to align with a new threat landscape specific to the mobile computing platform. IT security teams are also confronted with the change of use of new devices in traditional regulated markets. A study by the Ponemon Institute found that many organisations are not taking the necessary steps to protect regulated data, such as protected health information (PHI) on mobile devices and in the cloud.
Mobile Apps are being targeted by hackers
One issue is that mobile devices are characterised by untrusted execution environments. In other words, hackers can quite easily invade these devices without the owner's knowledge and compromise apps and data, while lost devices are an easy target for identity theft, data theft, and fraud.
Malware, unauthorised access, code tampering, piracy, and intellectual property theft are all major issues on the mobile platform. These challenges are more difficult to deal with because mobile devices, and the resident apps, live outside the firewall, predominantly owned and maintained by users rather than companies. Even on corporate devices that have security policies such as mandatory PINs, business policy wrappers and authentication policies, apps and data are still vulnerable to attack. This is because all these measures assume that the device's controlled download and execution automatically protects the apps, the data, and the user. In reality, a jailbroken device may do none of these things.
Jailbreaking (iOS) or Rooting (Android) is the process of bypassing restrictions, policies and safeguards built into devices by Apple and Android operating systems to enable device owners (and hackers) to install apps from outside the official App store and to bypass usage restrictions and checks that are built into the platform. In a traditional sense, Jailbreaking/Rooting is executed by a user on their own device in order to use their personal device “freely”. These jailbroken/rooted devices present a tempting target for hackers, who are able to leverage these compromised environments to cause direct financial loss and ultimately damage a corporate brand.
Building a self-defending and tamper-resistant app
Protecting an application and its code in a fundamentally distrusted and potentially malicious environment is a different discipline from IT security policy enforcement, and requires a fundamentally different approach. The key is to leverage the same multi-layer, binary code protection paradigm as used for tamper-resistance in applications. This will help achieve effective mobile shielding by making the applications on the device capable of self-defending and reliably detecting conditions at the time it is executed. It is worth noting that the goal here is not necessarily to prevent Jailbreaking or Rooting, but to reliably and quickly detect its occurrence. This detection becomes a critical pivot point for applications to alter their data processing and execution mode in order to preserve IP, data, finances and resources against being exploited.
Based on this building block of reliable detection capability, companies can customise the programming of their applications to intelligently and appropriately react as ‘programmed' to compromised circumstances in a manner that can be specified by the app's business policy envelope or Mobile Device Management (MDM) layer. For example, an app may simply be required to notify the user that it is running in a jailbroken environment. Alternatively, the app may phone the circumstances back to a server and trigger an out-of-band response process, such as a request for additional authentication or customer support call service.
As more businesses deploy mobile application and enterprise app stores/distribution become more ubiquitous, organisations need to understand that protecting assets via mobile computing devices requires more than applying MDM solutions. It requires security to built-in to the app from the ground up, which ideally should include the ability to detect and react to jailbroken or rooted devices.
Contributed by Vince Arneja, VP product Management at Arxan Technologies