Nowadays, with virtually everybody using a smartphone and/or a tablet, and downloading apps to run on their devices, most IT directors are scratching their heads wondering what new risks might have snuck in. Industry analysts at Gartner have come up with a handy starter list of things IT directors might do to protect themselves from insidious code embedded in mobile apps.
The first set of recommendations involves how applications should be tested. Test each application from three perspectives – the code itself, the runtime behaviour, and how the app communicates with other services.
A number of tools exist on the market (for example Veracode or FireEye) to allow you to perform a static analysis of either an app's source code (if it's available to you) or an app's binary code (which in most cases is all you have). Such tools produce a list of security vulnerabilities and they may also provide information on what you should test for when you test the runtime behaviour.
Tools also exist on the market to allow you to test an application's behaviour. Most of the behavioural testing is performed through a mobile device emulator and involves looking at what the app does in the background – for example, a malicious app might send sensitive data outside your enterprise. Many of the same vendors that offer the static application security testing (SAST) also offer tools for behavioural testing.
To test how the app communications with other services, such as web services, you should test the mobile part of the app, the back-end server, and the communication link between the mobile part of the app and the server. Look to make sure the mobile app responds appropriately to server messages, and make sure encrypted data is truly encrypted end-to-end. One tool that allows you to intercept and analyse data traffic between the app and the server is PortSwigger's Burp Suite.
The second set of recommendations concerns procedures and policies. Make it a point to check risk and reputation scores from expert testing vendors on an app before you allow use of that app in your organisation. Set up requirements so that apps are submitted for testing before they are used. And finally, integrate application testing with application protection technologies.
Look to vendors such as Appthority, FireEye, Pradeo, and Veracode, to find out how they rate the apps you are considering. Don't check just once. Make sure you check back on the ratings periodically, as they may change as app versions change.
Make it clear to users that all apps must be tested. You might also automate the process by installing a test manager app (provided by some of the same testing vendors) that discovers the apps on a device and then reports those apps for testing.
Once you have performed static testing on the app's code, feed the results into device management and protection tools. Such an interface is not completely automatic, so you'll have to get creative and talk to your vendors to see what's possible. The easiest thing to do if you have doubts about an app based on testing is to use device management and protection tools to blacklist the app.
IT directors who follow these recommendations are sure to sleep better at night.