Google’s recent revelation about the iPhone hack was a bit of a shock for me because I’m a die-hard fan of Apple products. I’ve always felt Apple’s closed environment ensures better security and privacy, both of which are important to me. Apple fixed the vulnerabilities within a few days of being notified by Google, so all good on that front.
What piqued my interest was how app data was compromised. Hackers installed a “monitoring implant” which had access to all the database files on the victim’s phone used by end-to-end encrypted apps, such as WhatsApp and Telegram. Those databases “contain the unencrypted, plain-text of the messages sent and received using the apps” according to this Forbes article. The saying ”own the operating system, own everything inside” is so true here.
But what if those apps had not relied on the encryption provided by iOS but had implemented their own encryption, independent of iOS’s, to secure those databases? Things may not have been so dire because there would have been another layer of encryption hackers would have had to get through in order to access the data.
That’s one of the reasons app-level security is so appealing to enterprises. It provides them with an additional level of security, so even if the device’s security is blown to bits (which can happen if the device passcode is compromised - have you ever used a 4 digit device PIN?), the app data is still encrypted. Many organizations use mobile device management (MDM) profiles to enforce security policies on devices where an installed MDM profile allows organizations to enforce more complex device PINs, for example, which reduces the risk of device compromise. In such cases, app-level security provides an additional layer of security SHOULD the device passcode be compromised. What app-level security also does is provide a consistent set of controls over app data regardless of whether the app is being used on corporate-managed device, which is one with an MDM profile, or one without - think BYOD (bring your own device) - where users place great value on their privacy.
What made the hackers successful in the iOS hack wasn’t just that they exploited an iOS vulnerability. They also exploited app vulnerabilities, which in this case was storing app data unencrypted in databases. That’s not a bad design since the app design assumed the device’s encryption would protect the data. Plus, implementing app level security isn’t easy. You’ve got to first make sure you know all the places where an app writes data - to flash disk on the device, to the network, between apps - before you go about implementing security. Many things can go awry. If your app is using libraries for which you don’t have source code, how can you ensure that data is always secured? If you are one of many developers working on complex enterprise mobile apps, how can you ensure developers working on other parts of the app are correctly implementing cybersecurity? When there are so many ways things can go wrong and there is pressure to turn out enterprise apps quickly, how do you avoid implementation mistakes that could turn into headlines?
Part of the solution is app design. The other is ensuring a reliable process for securing the app - and that’s where no-code approaches that automate integration of security into apps can help. After all ensuring app-level security in an app isn’t one and done. That process must be repeated for any changes or updates and there are many. An app’s source code is typically updated many times a year. Though Android and iOS have major updates once a year, there are numerous minor updates throughout. App security SDKs from EMM vendors like Microsoft and BlackBerry are also on an update cycle. Manually implementing app level security is prone to errors - PEBKAP anyone?
Many parts of the app development process have been automated, and now is time to extend that to securing of apps. Some key benefits that come with automating app security include:
- Enterprise can allow widespread access to corporate data and backend systems from secured mobile apps as data and system access is always under enterprise control, even in cases where the device isn’t, like BYOD.
- Workers will more willingly use corporate apps on their devices, even personal ones, because their employer can only access corporate apps and nothing else on their devices.
- Developers can focus on what they love to do most—app innovations, whether in the form of improvements to existing apps or in the creation of new apps—instead of the repetitive, mundane task of manually integrating security into apps.
Without automating the integration of app-level security, organizations cannot completely reap the benefits of edge computing because the attack surface grows as does the digital frontier. With it, comes increased productivity and everyone wins.