The use of cloud services is steadily growing and no one seems to be able to escape the trend. However, the shifting and processing of data from the very own area of responsibility to the cloud is not without problems and requires a careful approach, especially with regards to data security and privacy.
The Cloud Security Association (CSA) is absolutely dedicated to deal with such issues. During its luncheon earlier this month, the organization focused this time on Mobile Security, since the transformation of mobile computing has been phenomenal, driven by technological advancements, increased affordability and market acceptance, highlighting the most common risks. In this day and age when convenience is king, it is simply impossible to quit using mobile devices. With mobile devices being an integral part of our daily lives, it is dire to review and strengthen the security of mobile applications.
As such, CSA aims to provide fundamental research to help secure mobile endpoint computing from a cloud-centric vantage point, highlighting that, as with all technology, there is a multitude of security issues hindering the mobile application/mobile device from being completely reliable:
- Unsecured WiFi network access and rogue access points are just some of the prevalent security problems we face. Many mobile device users connect to WiFi hotspots when out and about without considering if the connection is safe, private, secure or even if it is a legitimate hotspot. As a result, an ‘evil twin’ attack is an easy way for hackers to gain access to mobile devices by setting up new access points in a public area. The attacker sets up the access point and gives it a name which would entice an unsuspecting user to connect to it, ultimately getting easy access to the device. As attackers become smarter and more creative, it is vital that the mobile application users are getting more educated on these security issues in order to spot them in time and avoid the baits.
- Aside from that, it is also difficult to streamline and standardize mobile applications security with there being two major operating systems, iOS and Android, for mobile devices in the market. Developers can upload their applications to either App Store (iOS) or to Google Play (Android), however both have different criteria for their developers: iOS has stringent guidelines for their applications whereas Android is less strict and as a result of this there are many Android applications with some form of malware attached to them. In late December 2015 an application named ‘Brain Test’ was found to have affected at least 13 other Android applications with hundreds of thousands of downloads. Brain Test had between 100,000 and 500,000 downloads and the malicious applications had affected 200,000 to one million users. This problem will not be resolved unless Google play store tightens its policies around uploading applications.
- With technology enabling “Bring-Your-Own-Device” (BYOD), organizations are now exposed to more attack vectors. The proliferation of data that is now moving outside of company networks, down to employee-owned devices, can increase the chance of data leaking out and getting into the wrong hands. It is difficult to ensure security policies and protocols are fully adopted across all mobile devices that are used by employees to access work information.
Already in 2012, CSA started to educate on this topic by publishing a report on Top Threats to Mobile Computing that identified eight important mobile threats and pointed out that mobile devices need strong encryption to prevent data leakage. Data loss from lost, stolen, or decommissioned devices is a high recurring concern with both company and employee-owned mobile devices.
Furthermore, in their effort to tackle the problem, CSA developed Security Guidance for Critical Areas of Mobile Computing which identifies key aspect of crucial parts of mobile computing - BYOD, Authentication, Application stores and MDM, delving into each of the identified areas to cover issues such as privacy, legal, and financial. These guidelines are a necessary tool for businesses and users of mobile applications and mobile devices to help enforce best practices in the workplace.
Last but not least, CSA published in June a Mobile Application Security Testing (MAST) whitepaper, which aims to create a safer cloud eco-system for mobile applications through creating systematic secure engineering approaches to application architecture, design testing and vetting that helps integrate and introduce security, quality control and compliance to mobile application development and management.
Anthony Lim, Strategy Director, Asia Pacific, highlighted during the luncheon on August 4, 2016 that the use of mobile applications has become unavoidable and presented MAST, the framework for secure mobile application development, more in detail. Therefore, stay tuned with CSA and aware on security issues surrounding mobile usage.
According to CSA, there has in fact been high interest in seeing a type of certification for mobile applications, which is why they are continuing to investigate and develop requirements for security of the App Store. Developing a mobile incident response handling procedure, a mobile forensic standard, and investigating secure bootstrap for mobile phone, are also in the pipeline to continuously reduce risks and security threats.
By Daniela La Marca