Can enterprises keep mobile security threats from driving customers away?

By building intelligent IDS/IPS into an app from the ground up, an enterprise can enable apps to be self-defending against any malicious use of their capabilities.

A 2015 mobile app survey from Bluebox Security supports the notion that most consumers would turn away from vendors if their mobile app is compromised and take their business elsewhere.

The vast majority (80 percent) of consumers surveyed said that they would stop patronizing a company if its mobile app was compromised in a breach, say the Bluebox Mobile App Survey results. Participants in the 2015 survey include approximately 400 consumers and 300 developers.

The vulnerabilities that lead to mobile app breaches lie as much or more in the mobile OSs as in the apps. More than 1 billion devices running affected Android and iOS operating systems were vulnerable to the Stagefright attack this year, according to Adam Ely, CSO, Bluebox Security. That number is based on the install base of mobile devices with the vulnerable OSs. “That makes mobile the next big security threat vector,” says Ely.

CSO covers how to help enterprises curtail these breaches and keep consumers from running to competitors.

The source of mobile threats, consumer sentiment

The attacks on Stagefright targeted core mobile OS vulnerabilities in the Android media playback engine architecture. In the case of XcodeGhost, an attacker added malware to a pirated copy of Xcode, which developers use to build iOS applications. “When developers used this hacked version of Xcode to build their iOS apps, it automatically injected malware into the app,” says Ely. The fact that developers were using a version of Xcode, albeit a hacked version, to build their apps meant that The App Store would readily clear the app and host it as a clean app.

“Apple has patched more than 120 security flaws since it released iOS 9,” says Ely. When the vulnerability is in the mobile OS, how can mobile app developers ensure the security of their apps?

Consumers are responding to the unassailable evidence of seemingly unstoppable affronts to their mobile activities and transactions. “In our private conversations with our customers, we found that they were starting to get more inquiries from consumers in the last six to 12 months about security, data privacy, and what’s going to happen with their data. This was something that two years ago most consumers never asked about,” says Ely.

Adam Ely, CSO, Bluebox Security

High-profile data breaches and reported unnecessary mobile app risks are leading consumers to consider the gravity of the threat to their PII to the point of developing their own plans of action in the event of further breaches. If an enterprise can’t ensure mobile application security, customers will respond by clicking elsewhere. “I can buy something at Target, Wal-Mart, Amex, Jet, wherever I want, so there’s a very low switching cost, so consumers have the ability to take a matter into their own hands,” says Ely.

Instructing mobile apps in the art of self-defense

Enterprises and their mobile app developers should build security in from the start by building encryption in, implementing obfuscation techniques with a security framework, and performing deep analysis to understand application integrity, explains Ely. “You need to understand the integrity and state of the libraries the app requires at runtime and the libraries in memory. You need to build out a risk score and profile and then use that to build in counter measures to create self-defending apps,” says Ely.

Ely is not alone in disseminating self-defending app terminology. The OWASP is invested in self-defending apps. The OWASP has established the AppSensor project, which “defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications”, according to OWASP. By working at the application layer, building intelligent IDS into mobile apps together with automated responses to address each intrusion, mobile app security becomes native rather than an add-on.

The OWASP approach uses detection points including any of a variety of exceptions and trends as well as honey traps and reputation to identify attacks internally. AppSensor seeks to analyze application logs and the detection points within, independently and on the whole, to determine malicious user behavior, then moves to block the user, according to the OWASP.

According to the OWASP, with help, mobile applications can understand users, their actions, the intended targets of those actions, and whether the app should allow those combinations of users and actions. The OWASP intends AppSensor to identify advanced threats that are engaged in exploitative or evasive behaviors. AppSensor enables the app to block the user permanently or to take other action as the enterprise sees fit. Blocking limits attackers to the application’s perimeter, according to the OWASP.

The OWASP notes that AppSensor permits enterprises to opt out of blocking users automatically so they can receive attack alerts using security monitoring and investigate the event before making a response decision. “The rigor of response is a decision for each organization in relation to their tolerance for risk and specific needs for an application,” the OWASP says. Since an organization’s tolerance for risk and the tolerance of their consumers or any other affected party can differ, it is worth considering the advantages of immediate and automatic blocking where it is reasonable.

Through the AppSensor project, the OWASP offers recommendations for determining what application behaviors are malicious, suggestions for responses, guidance in implementing a system based on AppSensor, and a Java reference implementation that the organization can integrate into its application(s), according to the OWASP.

Other entities claiming some form of self-defending app approach include Apperian, Mocana, and Metaforic.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleBlueboxCSOCustomersWal-Mart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By David Geer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place