This week concludes my series on Mobile Applications & Data Security. I’ll leave you with tactics on how to secure application access to data and provide insight on how to secure communication between a mobile device and server. Ready? Let’s dive in.
One of the challenges when building mobile applications is to make sure users are only given access to information that they are authorized to view and that sensitive data is never stored on the device itself. One way to secure application access to business data on corporate servers is to develop a solid framework that will handle all aspects of data security and access on the server.
Below I have outlined common techniques that can ensure secure application access to data on a server:
- Role-based security to control user access and visibility to business data. This will allow you to easily manage and administer access and also turn “off” access to information on the server if required.
- Do not store passwords or PINs on the device and always perform all application security checks on the server.
- Encrypt all sensitive information on the server and only send the required amount of information to the mobile application.
- Log all application activity on the server from all devices and restrict access to applications and data based on the unique device identifier.
- Prompt for additional PIN number to access critical paths of the server and re-validate and verify the login information on subsequent requests after the initial login to the application has been verified.
- Implement a Firewall and DMZ (Demilitarized Zone) that contains and exposes your organization’s external facing servers to the outside world. This provides an additional layer of security to an organization’s network, applications and data.
- Provide VPN access for added security that can be easily enabled or disabled on the server side.
- Leverage remote monitoring capabilities that provide the ability to remote wipe a device if it gets lost or stolen.
- Educate and manage employee behavior and usage of mobile applications in order to keep security intact. Provide them with regular updates and make them aware of your security policies.
The IBM i platform hosts some of the biggest mission-critical business applications on the planet and has always had a built-in Object-based and User-profile management system that is not only simple to setup and leverage but very powerful. Reducing the steps required to configure user profiles and manage access to your programs/files on the server, using the standard IBM i user profile security with authorization Lists, makes the IBM i a compelling choice for businesses.
Even the most secure platform on the planet needs protection from threats and breaches when dealing with business data. The IBM i platform provides the necessary tools required to secure the infrastructure and access to the information, helping businesses lower risks and costs.
Secure Communication Between a Mobile Device and Server
Another important component to building mobile apps is to secure communication between the device and server. Most applications connect to information being stored on the server using standard web protocol (HTTP) and pass data back and forth using standard data formats like XML or JSON. Using public Wi-Fi or cellular signal from anywhere in the world and connecting to data on the server can allow hackers to intercept and view information being transferred over the wire using sniffing tools and man-in-the-middle attacks. Since the World Wide Web is the number one source of information for most people these days, and the Web uses the HTTP protocol to communicate between the web browser and server, it is easy to see why a connection can be easily intercepted and hacked.
One of the easiest ways to secure communication is to simply use HTTPs instead of HTTP protocol when building business applications and accessing data on the server. Using SSL connection to the webserver automatically means that the data is being encrypted with a digital certificate that can be setup and configured on the webserver. Typically, digital certificates provide a minimum 128-bit encryption all the way up to 4096-bit encryption which ensures the data being transmitted over the wire is secure and not available to hackers.
Using IBM i backend as the server for building mobile applications provides many benefits. With the latest advancements in Cryptography and Digital Certificates built into the Apache Webserver and the IBM i OS to provide a reliable and proven platform, the IBM i platform has proven to be one of the most secure platforms to run your mission critical business applications.
Application and data security has always been and will continue to be a cat and mouse game between the good guys and the bad guys. Whereby new threats and vulnerabilities are being found and exploited by the bad guys, while the good guys try to fix the vulnerabilities by putting in place appropriate measures (both hardware and software to thwart the new-age cyber criminals).
The great news for all of us building mobile applications is that both software and hardware mobile ecosystems are not only evolving at a rapid pace, it is also constantly being improved to support the latest in encryption and cryptography as well as making mobile device operating systems smarter in detecting and dealing with threats in real-time.
At the end of the day, mobile applications need to be secured. It’s not a question of “if” but “when” attacks will occur. From an application development perspective, it is important to understand and be mindful of security issues when building enterprise applications for mobile devices.
Visit the blog next week for a 12-Point Mobile Application and Data Security Checklist.