Mobile Enterprise Apps: The Next Security Frontier

Mobile application developers are a busy lot these days as organizations look to put the latest applications in the hands of mobile employees.

However, as organizations' networks extend ever outward and "over the air," data and application security are primary concerns. Enterprise networks are a potential treasure trove for increasingly organized and sophisticated cyber-criminals, and the newness of mobile devices presents them with an enticing entry point.

A Window Into the Enterprise

The vulnerability of mobile applications and data can be categorized into two areas: data transmission and data storage, according to Hansen Lieu, marketing director of SAP (NYSE: SAP) CRM Global Marketing.

"When the mobile application is exchanging data with the server, they typically rely on the public wireless networks to communicate with the server back at the office. Potentially, this communication linkage can be intercepted and data copied," Lieu told CRM Buyer.

"The second vulnerable area is the data residing on the device. Many mobile applications store some data on the device to optimize performance and usability. So, if the mobile device is lost or stolen, data stored on the device can be accessed by unauthorized parties."

Moreover, mobile devices with links to enterprise applications can afford hackers access to core systems inside the firewall. "Back office systems can also be compromised, especially if the user stores his or her username and password on the device. Another threat is that the mobile device itself may also contain malware -- installed unbeknown to the user -- that can access data and send it out," Lieu explained.

Though technically possible, the vulnerabilities he described aren't substantial and occur rarely. "Even though people frequently lose their mobile devices (more often than laptops), there have been very few known cases in which data on these devices were accessed and used. SAP is not aware of any public statistics that we can share," he added.

Man-in-the-Middle Attacks

Mobile enterprise applications share the same vulnerabilities as any wired network application, points out ESET director of technical education Randy Abrams. Buffer overflows, weak passwords, insecure access control and a lack of rigorous auditing are all risks, he said.

The key difference, however, is that data transmissions are more accessible and prone to interception. "For this reason, particular care must be taken to ensure that data is always encrypted between endpoints. Man-in-the-middle attacks are then what must be defended against. A man-in-the-middle attack can compromise the cryptographic keys, thereby rendering the encryption ineffective."

E-mail is the most prevalent mobile enterprise application, and attacks can be quite substantial, according to Abrams. The use of unsecured WiFi networks, for instance, "can jeopardize account credentials and allow an attacker a log on to a corporate network," Abrams told CRM Buyer.

"Attacks against mobile enterprise applications are more likely to be targets than many other attacks. A skilled attacker will collect the information required, do their best to cover their tracks, and then stop accessing the resource so as to prevent detection."

A company may not even know how or where the intrusion was enacted or the source of data leakage. "As we saw in the case of T.J. Maxx, WiFi can expose applications that were not meant to be mobile to the same risks that a mobile enterprise application is vulnerable to."

Preventive Action

It's still the early days when it comes to widespread use of mobile enterprise applications, but there are at least 400 identified threats out there, according to Dan Clark, ESET vice president of marketing. "It's nowhere as large as it is in the commercial space but as more and more businesses embrace these technologies, threats will grow in number and frequency," he maintained.

"The question is whether you are ready before being hit by a security breach." For cyber-crooks, "it's a matter of waiting for a critical mass of smartphones to be employed and for critical mass of applications to be available."

It won't be long before smartphone ownership and usage reaches a point where there are enough of them out there to attract greater attention by the malware and cyber-crime communities, Clark continued.

Smartphone sales have been brisk, and they are expected to continue to grow rapidly. About 118 million smartphones were shipped in 2007, 53 percent more than 2006, according to Canalys.

"At the end of day, malware becomes more of a problem when more commerce is done on (mobile devices). That will determine where hackers will direct their efforts," Clark commented.

In a short space of time, we'll "hit the point where the volume of devices in the market is large and attract enough to people whose motivation is illicit gain," Clark commented. "The potential for monetary reward increases and so the potential for attacks increases. Many business users use smartphones nowadays so now is probably a very good time to start investing in smartphone security."