As part of our extensive security assessment portfolio, we also specialize in mobile application security assessments, be it black-box reverse engineering engagements or source code review analysis. We have not only done numerous such assignments, but we also blog extensively on our experience and BlueScopes into mobile application security. We have also worked with some of the largest enterprises to help them secure their mobile apps. Further, we have also carried out assessments of Mobile Device Management solutions such as those from Mobile Iron and Good Technologies.
With the wave of IT consumerization being faced by most enterprises today, CISOs no longer have the option of not allowing Smartphone’s, tablets and other mobile devices from connecting to the corporate network and accessing corporate data.
With so much organization data floating around in the palms of employees, corporate data theft is also on the rise. A loss of any such device would allow an adversary access to confidential emails and documents stored on the mobile device.
In today’s world where technology rule people’s lives and work space, attackers have also become sophisticated in their methodology. Rather than targeting an organization’s well protected email server – for which an attacker would have to bypass layers of security, including IPS, firewalls – attackers have now begun to focus on softer targets: the user endpoints – mobile, tablet, laptops.
Some common end-point threats are:
- 0-day malwares
- Loss of device
- Unauthorized app installation
- Data and document storage abuse
- Malicious attachments
- Device and Data encryption:
Encrypting your entire device or specific data, can prevent an attacker from viewing it without the key
- Remote device wipe:
In case of loss of device, a remote wipe would ensure that the attacker cannot extract confidential information from the device
Un-attended devices need to be protected from prying eyes
- Applying domain password policies to your end-point device
- Device lockdown:
Restricting the user activity on the device would help ensure that unwanted applications are not installed or settings are not updated
- Centralized email service:
Incorporating the mobile device email security with the existing email infrastructure ensures complete sync of data and also allows recovery of emails in case of loss of device.
Restrict users from installing malicious applications or browsing to website which may compromise their device.
- Mobile Device Management Assessment:
Most corporate business which provide their employees with mobile devices, use MDM applications like Blackberry Enterprise Servers or 3rd-party device management server. Our team can conduct a security assessment of these servers to identify improper configurations or policies which are not in compliance with the organization security policy and best practices.
- Application Security Assessment:
Companies now-a-days introduce applications for their customers (and even employees) to ease the manner in which they interact and conduct transactions. Applications involving mobile trading, mobile banking, mobile wallet etc. need to ensure the confidentiality and integrity of their customer data the availability of their services. We can help you identify vulnerabilities in your applications and also provide recommendations on how you can ensure that an attacker does not abuse your application nor is he able to compromise your clients’ information.
- Application Source Code Review:
Although most critical security issues can be discovered by an application assessment, a source code review helps discover underlying code issues which may not be apparent in the exposed user interface. We can review source code for applications of different platforms – Blackberry OS, iOS, Android, Symbian, Windows.
- Implementation of End-point Security Solutions:
If you are looking to integrate end-point mobile devices into your infrastructure, you need to ensure that they are well protected from malwares and also make sure that all such devices are in conformity with the organizations’ security policies. We can help you to identify and set up solutions which best suit your unique organization policies and network architecture. With our years of experience in information security domain, you can be assured that we review the top-of-the-line products and suggest the best option for your needs.