Did you know approximately 30% of mobile users save their password in the notes apps on the phone? And 264 mobile thefts were reported every day in 2012? These are just a few statistics I highlighted last week in my Putting Mobile Applications and Data Security In Perspective post.
We’ll continue our discussion on mobile security by breaking the subject into three main categories, starting today with securing data at rest on the mobile device. Over the next two weeks we’ll cover securing application access to data and communication between a mobile device and a server.
With the ability of native applications on mobile devices to read/write files to the device operating system, it becomes extremely important to secure information so that only the intended application can access the information when an end-user interacts with the program. Luckily both Android and Apple operating systems provide a sandbox environment for each application so that only that application can read/write data to the file system. Applications should also encrypt the information on the file system using industry standard encryption algorithms to further protect sensitive application data. Both Android and Apple also provide password, gesture and pin access to the device that can be configured and setup so unauthorized use of applications and data on the device can be eliminated.
Mobile device manufacturers and operating system vendors in the marketplace today are increasingly being asked to provide additional security capabilities built into the operating system and software to conform to government regulations, identify malicious activity, detect viruses and spyware as well as secure application data. Additionally, device manufacturers are now providing the ability to install business applications in a secure sandbox environment (dividing the mobile device into two parts so that the operating system separates corporate and personal data/applications) that can be integrated and controlled by the IT department in your organization.
When building applications for mobile devices and storing data on the device it is important to consider and analyze the following key aspects:
- Is the data being stored encrypted and compressed?
- What is the lifespan of data stored on the device?
- How sensitive is the information being stored? If very sensitive, should it be stored at all?
- Has application access to the data been secured in some way e.g. login user ID and password?
- If the device is lost or stolen, can access to the application be immediately revoked and terminated?
- If the device is lost or stolen, can the device be wiped remotely?
- Is the data available for offline use? If yes, is the data erased and cleaned up by the application?
With the constant demand on business and IT to deliver “more with less,”organizations can deliver real business value using a Mobile Application Framework and mitigate risk, thus providing businesses with real cost savings. When evaluating Mobile Application Frameworks for building native applications for Android and Apple devices, it is important to evaluate against the following criteria:
- Is the mobile application framework from a reputable vendor?
- Has the vendor been in business for a long time and does the vendor have a proven track record?
- Does the mobile application framework leverage existing developer skill sets?
- Does the mobile application framework deliver the building blocks required for mobile applications i.e. security model, navigation, user interface elements, examples?
- Does the mobile application support both Android and Apple operating systems?
We’ve covered quite a bit of ground today. Be sure and check back next week for a deep dive into securing application access to data. I promise you won’t be disappointed.