In a recent mobile security scare, researchers from Leibniz University of Hanover and the Philipps University of Marburg announced their discovery that Android apps can be ‘tricked' into revealing personal data.
Media big guns such as the BBC and Wall Street Journal duly jumped on the story, reinforcing the impression that the mobile world is still the equivalent of the Wild West when it comes to data protection.
Hold on a minute – isn't this looking at the mobile security story from the wrong perspective? Mobile apps, like any applications, are only as secure as they're designed to be. Suggesting that Google is responsible for the security of all the apps built on its platform is equivalent to expecting Microsoft to apologise for every poorly written desktop PC app.
In reality, it is incumbent upon each company to plan for and develop to the level of security required for each app. For instance, if a bank develops a mobile app that stores unencrypted user information in device memory, then that bank has written a bad app. The security of that app has nothing to do with the end device or access medium. Rather, it has to do with poor gathering and planning of requirements in the first place.
With the advent of developments such as the mass market penetration of smartphones and the roll-out of 4G services, the mobile enterprise is on the cusp of finally taking off in a big way – what's absolutely vital is that we don't repeat the same errors that have led to the desktop security quagmire. Instead we should design mobile applications with data security as a primary consideration from the off.
So what is a good way to think about designing for security when developing mobile apps? One way to lower your risk of exposing sensitive data through compromised mobile app security is to design apps in such a way that you minimise the amount of data you expose in apps or allow in device downloads.
For example, you can design an enterprise mobile app so the sensitive data stays server-side, and is only viewable on the device while the authorised user is within coverage range.
Designers can also be more selective about what they really need to show within a mobile app. Rather than mobilising an entire customer relationship management system or big chunks of sensitive information, the IT team can mobilise only a handful of ‘must have' screens or functions.
There are other benefits to this approach. We recently worked with one of our clients on this stripped-down approach and the app worked so well that even when users had secure access to the full-blown CRM system, they prefer to use their mobile device because it was faster and more effective than using a laptop.
Of course, specific security mechanisms are still crucial. You should use a mobile platform with integrated security capabilities that allows you to set up passwords, log on and authenticate properly, or handle data encryption for mobile apps.
Some platforms allow an app to be set up so that enterprise data automatically times out and disappears, even if the network connection is turned off - this capability comes in handy especially if a device is lost or stolen. There are also device management tools that effectively separate enterprise from personal data on a mobile device, allowing the enterprise portion to be wiped clean if the device is compromised.
The bottom line is don't approach security as a set of utilities you put in place after apps are deployed. You'll get better security through more of a lifecycle approach, where you design with security in mind and also test for it.
The easiest way to develop a mobile app that is secure and will not get you featured in the press for the wrong reasons is to use an enterprise mobility platform that handles security for you.
T.L. Neff is executive vice president of global client services for Verivo Software