Story image

Interview: Building secure apps from the ground up

13 Nov 2018
Sponsored

Digital transformation is allowing companies to automate many in-house processes and make them more efficient by building their own apps.

However, these apps need to have security built into them from day one, or they may unknowingly become another threat surface attackers can leverage.

Techday spoke to Mobile Mentor mobile security head Liz Knight about common threats they’re facing, how companies can secure their apps, and why this is important.

What are your roles and responsibilities as head of mobile security with Mobile Mentor?

I lead a team of specialised engineers that are experienced in deploying mobility solutions to government and enterprise customers.

We are trained and certified with the major Unified Endpoint Management (UEM) vendors as well as Google and Apple which gives a holistic understanding of the mobile ecosystem.

The team is responsible for designing and implementing mobility solutions that have integrations with customers cloud and on-premise infrastructure.

This includes securing devices with the latest vendor solutions including Apple Business Manager, Google Android Enterprise and Samsung KNOX, protecting devices from malicious applications and designing specialist configurations to meet customers’ security requirements.

We have unique knowledge and experience in how to deploy and secure enterprise apps, enabling Single Sign On (SSO) and access to remote systems.  

Why is mobile security important in app building?

Security should be a key consideration from the initial design phase before any build even begins.

Apps can be vulnerable to data leakage, malicious code insertion, privacy issues and other security threats.

Securing enterprise apps may be as easy as adding an SDK such as the Intune App SDK to containerise and encrypt app data or the ADAL library to enable SSO leveraging Azure Active Directory (AAD) during the build phase.

You don’t want to finish your app build and then realise the app is not secured and users can’t authenticate using their corporate credentials.

What are the security threats you've encountered and what other trends are you seeing?

While we don’t see much rooting or jailbreaking of devices these days, we do see threats from insecure networks, browsing and malicious apps.

Many older Android devices are not encrypted which means data leakage is a major concern.

Some apps look reputable but maybe sending data offshore to third-party servers and have access to the device KeyStore and other functions such as the microphone and camera.

We recommend customers use a Mobile Threat Defence (MTD) solution to get visibility of risky apps and integrate with an UEM solution to automate the quarantining of devices that have been detected with malicious apps installed.

 How does PowerApps factor in security from the app building stage?

PowerApps leverage Azure Active Directory for authentication out of the box which includes the ability to enable Multi-Factor Authentication (MFA).

MFA requires the user to provide an additional factor of authentication before access to an app is granted.   

Is there the possibility to integrate offerings from external security vendors? 

Yes, the best approach to PowerApps security is a layered approach.

Start by using an UEM solution such as Intune to secure the device layer, then leverage vendor solutions such as Apple Business Manager and Android Enterprise to apply policies and data loss controls around the deployed PowerApps and then leverage Azure AD and MFA to secure the authentication and user identity.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.