8 security questions to ask before building mobile apps

By John Dickson, CSO |  Security, mobile development

Enterprise organizations are rushing to build iPhone, iPad, Android and BlackBerry applications to deepen their customer experiences and extend the ways their customers can purchase from them.

The demand for these applications is driving development at a rapid pace. Unfortunately, the risks associated with mobile applications are different from typical enterprise software. Also, security is rarely a project driver in the mobile software world.

Also see: Malware exploding, especially on mobile devices

Business line managers need to make sure that marketing and IT managers who are building mobile applications are protecting of customer data and not inadvertently opening up unexpected security holes for outside attackers. Here are eight questions to ask them before proceeding.

1. How does the risk of software on mobile devices differ from that of enterprise software?

The very definition of mobile software is that it exists on a device outside your enterprise environment on the handset or tablet of an outside person, perhaps a customer. You can assume that the device will be jail broken and your source code reverse engineered. In addition, you will have little -- if any -- indication that someone is tinkering with your mobile application. Much of the attack prevention and detection will instead have to be based on examining how the mobile device interacts with internal servers.

2. How do these mobile applications interact with our internal servers?

Much of the media focus on mobile security is centered on the security of the device. In reality, most of risk may exist where the mobile device interacts with externally-facing servers. An organizations threat modeling and testing should reflect that reality. If the device can be jailbroken and the code reverse engineered, an attacker with modest skills can identify the target server that receives inbound requests from you mobile devices. At that point, the server has to be able to withstand the variety of application and network attacks.

3. Do we have the internal skill set to manage this risk?


Originally published on CSO |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question