The 7 Essential Steps for Ensuring Mobile App Security

Mobile devices now account for more than half of all web traffic, and that number seems poised to increase over the next few years. Between the Apple App Store and Google Play Store, there are already more than 5 million applications available — and not all of them are safe. A smart mobile app security strategy can mitigate some of the threats that come from unauthorized, misconfigured, or malicious software.

Enforcing strict mobile device security policies is good for your organization, as you can minimize the risk of a data breach. It’s also good for your employees — particularly if they use personal devices — as you can help them protect their personal information. Even though there are millions of mobile apps on the market, you can safeguard your organization’s sensitive data by following just seven simple steps.

‍

Common mobile app security risks

Before you shore up your organization’s mobile app security, you should know what kinds of threats you’re likely to encounter. The most common mobile app threats include:

• Unsecured apps: According to Lookout’s Hank Schless, “apps don’t have to be malicious to be dangerous.” Many legitimate smartphone programs have severe vulnerabilities. Consider the case of Pinduoduo: an online retail app that contained highly exploitable code. Less overtly dangerous apps can still request more permissions than they need or collect and share personal data with uncertain third parties. 
• Shadow IT: “Shadow IT” refers to employees using unauthorized apps and devices for legitimate work purposes. Using personal smartphones to complete assignments or loading unauthorized apps on a company-issued tablet are some possible examples. Because IT and security teams often have little or no visibility into shadow IT, it may be more vulnerable to attack.
• Malicious software: While malicious apps are rare, they do occasionally make their way onto devices. They usually masquerade as legitimate programs, such as banking apps or PDF readers. Once installed, they steal login credentials or infect devices with malware.

‍

7 steps to secure mobile apps

Vet and configure mobile apps

With millions of smartphone apps on the market — and dozens of versions of each one — letting employees install whatever they want can be risky. One possible alternative is to issue company devices and restrict installable apps to a pre-approved list. The IT department can vet this software with mobile vulnerability management (MVM) technology, which evaluates the relative risk of each app, operating system (OS), and device. The more often you run these tests, the better your insights will be, but once a month is a good place to start.

Enforce access control

Access control is the process of allowing legitimate employees into your system while barring unauthorized users. If your organization stores data in the cloud (and statistically speaking, it probably does), both employees and threat actors may be able to access that information with mobile devices.

Access control can incorporate many different aspects of cybersecurity, from implementing zero-trust principles on a remote server to issuing keycards in a physical office. However, authentication and authorization comprise the backbone of this strategy. Have your employees create strong passwords, change them often, and add multi-factor authentication (MFA) for an additional layer of security.

Monitor shadow IT

Your employees are probably going to use their own apps and devices — even if you tell them not to. That’s especially true with mobile devices, given how commonplace bring-your-own-device (BYOD) programs are. You shouldn’t necessarily try to stamp out shadow IT, but you should gain some visibility into it. The right mobile security solution can give you a better picture of your overall mobile risk posture and more visibility into unvetted apps.

Encrypt sensitive data

From small businesses to enterprise-level operations, every organization has sensitive data to protect. While data encryption isn’t specific to mobile devices, it does provide a vital layer of security against threats to smartphones and tablets. Cloud computing has made sensitive data theoretically accessible from any device, anywhere with an internet connection. As such, there are now many more avenues of attack for threat actors than there were in the days of on-site servers. IT managers can automatically encrypt sensitive data with tools like enterprise digital rights management (EDRM).

Educate employees

An informed employee is your best defense against mobile threats. As such, you should teach them the cybersecurity essentials they need to protect themselves — and your organization’s data. Take mobile phishing, for example. A texting app may be perfectly safe in and of itself. However, a savvy threat actor could use that app to trick an employee into giving up login credentials or an MFA code. A malicious app disguised as the real thing could accomplish the same goal. If your workers know how to spot the signs of social engineering, they’ll be more likely to use legitimate apps safely and avoid deceptive ones altogether.

Implement mobile EDR

Mobile app security is an ongoing process, so you’ll want tools that evolve alongside the threats. A mobile endpoint detection and response (EDR) solution can provide real-time protection for your organization’s mobile devices. Using comprehensive data sets and sophisticated algorithms, mobile EDRs can identify malicious sites and apps, alert employees to phishing attempts, and even protect data from known threat actors. Mobile EDR software can even grant conditional access depending on a given user’s potential risk factors. 

Comply with industry regulations

Depending on your industry, you may have to incorporate compliance standards into your mobile device security strategy. For example, the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulation (GDPR) in the European Union both dictate how private organizations can access, store, and share personal data. Each industry has different compliance practices, but a data-centric mobile security strategy can help keep protected information in the hands of authorized users.

‍

Safeguard your data with mobile EDR

To improve mobile app security at your organization, mobile EDR can be an invaluable tool. For IT managers, mobile EDR can help identify out-of-date or malicious apps. At the same time, employees get real-time protection from phishing and social engineering schemes. Read the Lookout e-book The Mobile EDR Playbook: Key Questions for Protecting Your Data to learn how this technology can be a vital part of your cybersecurity strategy.

‍