It probably came as no surprise to anyone involved in enterprise mobility security when Network World recently reported that at least 80% of mobile apps have security and privacy issues that put enterprises at risk. But in a world where 70% of enterprises have given up attempts to forbid bring your own device (BYOD) access to the enterprise network, understanding a few enterprise mobility security best practices is critical to developing mobile security solutions that can protect your organization.
Best practices start, of course, with understanding what kinds of risks smart phones, user-provided laptops or PCs, and tablets post to the enterprise. If asked, many IT managers would say that malware brought into the enterprise from user-owned devices is the biggest threat to enterprise mobility security.
Good network access control and strict policy enforcement can go a long way toward mitigating the risk of malware, and most savvy enterprises have up-to-date mobile security solutions that can help to protect against Trojan horse viruses, malware, and other hacker attacks. Of course, mobile security solutions – like other anti-malware solutions – have to be constantly updated as hackers come up with new ways to bypass existing security and safeguards.
For instance, earlier this month Kaspersky Labs discovered the first Android malware app that doesn’t attack the smartphone, just any PCs or networks it is connected to. The app records any audio on the PC or network (including voice mail) and has so far been geographically limited. It’s a good example of the unexpected risks that smartphone users can bring into the workplace, however.
Common Risks in Android App Development
There are some hidden risky behaviors that are built into many apps. While found in some iPhone/iPad apps as well, these four common risks are more common in Android app development projects – including those undertaken within the enterprise – because up to 80% of the open source tools for Android include these four functions:
- Accessing user contacts on a smartphone (including contact information from corporate email synced to the phone)
- Accessing the user’s calendar information
- Collecting or determining the user’s location and tracking movements
- Passing along any or all of this information to ad networks or analytics companies
Good policies that govern what users can do and what kinds of data they can access don’t work unless you understand what specific apps actually do. Do your mobile security solutions take these into account and protect your organization?
More importantly, do your users understand the necessity of practicing the same basic risk management activities on a mobile device as they do on a PC? For instance, most corporate users know that it’s important to keep a firewall on at all times, run current antivirus and antispyware software, and to keep automatic updates on, and most enterprises enforce those best practices on PCs connected to the network.
But the second annual Microsoft Computing Safety Index (MCSI) survey shows that only a small fraction of U.S. smartphone and tablet users follow the same security practices on their mobile devices. Overall, the survey showed that even users who are aware of the value of personal information don’t practice the risk management steps that could protect them on mobile devices.
BYOD user policies, like the ones shared by Network World last year, can be the first line of defense in an enterprise mobility security framework. Surprisingly, they can also be valuable tools to an Android app development project. How? By building in compliance mechanisms as the app is developed, so that it’s easier for users to comply with security measures – and harder for them to remain out of compliance.