Enterprise mobile apps and consumer mobile apps may run on the same devices and operating systems, but they are worlds apart when it comes to security. With hackers looking at mobile apps as a great attack vector, how can enterprisees build security into their apps to prevent user identity theft and fraud?
Prevoty CTO Kunal Anand, who has long confronted user authentication and authorization threats while leading technology at companies like MySpace and the BBC, recently spoke to a Software Development Times (SDTimes.com) webinar audience on this enterprise mobile application security.
Here are the highlights:
Mobile Development Misconceptions
Whether we're talking about a native, hybrid, or HTML5 app, mobile apps have significant vulnerabilities to be exploited. Mobile sandboxes are great for limiting exploits between native apps on the device but they can't prevent advanced attacks or fix poor architecture that allows unfettered access behind the enterprise firewall. Hybrid or HTML5 apps usher in a whole host of browser-based threats and the complexities of offline access and securing local storage. If mobile end users are held hostage by a cross-site request forgery (CSRF) or Man-in-the-Middle (MITM) attack, or their device is simply tampered with, they can be tricked into executing unwanted or malicious actions.
While alternative deployment and enterprise mobility management approaches such as containerization, app wrapping and virtualization help you manage risk by restricting the attack surface, they don't provide protection against the most sophisticated breeds of identity theft and user hijacking threats like CSRF and MITM.
When ‘Build Quickly, Fail Fast’ is Not an Option
0% of the audience of enterprise mobile developers uses a formal secure SSDLC process.
During the webinar, Kunal covers strategies for dealing with sophisticated MITM attacks, including TLS/SSL, OAuth, certificate pinning, encryption, and endpoint guarding -- but the real problem may be an institutional one.
Mobile development life cycles are much shorter than typical enterprise applications and the focus is heavily on user experience, not security. Secure coding practices, vulnerability testing tools, synchronizing secure SDLC protocols...they often just get in the way of getting the app out the door.
At Prevoty, we believe superior user experiences and efficient delivery timelines should still continue to reign supreme in mobile app development...without sacrificing security.
Therefore, we created an out-of-the-box secure OAuth management solution for both persisted and timed one-time use tokens called Trusted User for Mobile. This technology generates and issues unique, single-use tokens that we track for all state changes, preventing reuse for replay attacks.
Deployed as a public cloud service, private cloud service or virtual machine, Trusted User for Mobile doesn't impact performance and is completely agnostic to your type of application (native, web, or hybrid).
Hear more about it for yourself. Watch the full replay below or visit this direct link:
Protect the integrity of your app and win the trust of your users. Talk to us about how we can help you easily release mobile applications with security in mind.