Story image

Interview: Building secure apps from the ground up

13 Nov 18
Sponsored

Digital transformation is allowing companies to automate many in-house processes and make them more efficient by building their own apps.

However, these apps need to have security built into them from day one, or they may unknowingly become another threat surface attackers can leverage.

Techday spoke to Mobile Mentor mobile security head Liz Knight about common threats they’re facing, how companies can secure their apps, and why this is important.

What are your roles and responsibilities as head of mobile security with Mobile Mentor?

I lead a team of specialised engineers that are experienced in deploying mobility solutions to government and enterprise customers.

We are trained and certified with the major Unified Endpoint Management (UEM) vendors as well as Google and Apple which gives a holistic understanding of the mobile ecosystem.

The team is responsible for designing and implementing mobility solutions that have integrations with customers cloud and on-premise infrastructure.

This includes securing devices with the latest vendor solutions including Apple Business Manager, Google Android Enterprise and Samsung KNOX, protecting devices from malicious applications and designing specialist configurations to meet customers’ security requirements.

We have unique knowledge and experience in how to deploy and secure enterprise apps, enabling Single Sign On (SSO) and access to remote systems.  

Why is mobile security important in app building?

Security should be a key consideration from the initial design phase before any build even begins.

Apps can be vulnerable to data leakage, malicious code insertion, privacy issues and other security threats.

Securing enterprise apps may be as easy as adding an SDK such as the Intune App SDK to containerise and encrypt app data or the ADAL library to enable SSO leveraging Azure Active Directory (AAD) during the build phase.

You don’t want to finish your app build and then realise the app is not secured and users can’t authenticate using their corporate credentials.

What are the security threats you've encountered and what other trends are you seeing?

While we don’t see much rooting or jailbreaking of devices these days, we do see threats from insecure networks, browsing and malicious apps.

Many older Android devices are not encrypted which means data leakage is a major concern.

Some apps look reputable but maybe sending data offshore to third-party servers and have access to the device KeyStore and other functions such as the microphone and camera.

We recommend customers use a Mobile Threat Defence (MTD) solution to get visibility of risky apps and integrate with an UEM solution to automate the quarantining of devices that have been detected with malicious apps installed.

 How does PowerApps factor in security from the app building stage?

PowerApps leverage Azure Active Directory for authentication out of the box which includes the ability to enable Multi-Factor Authentication (MFA).

MFA requires the user to provide an additional factor of authentication before access to an app is granted.   

Is there the possibility to integrate offerings from external security vendors? 

Yes, the best approach to PowerApps security is a layered approach.

Start by using an UEM solution such as Intune to secure the device layer, then leverage vendor solutions such as Apple Business Manager and Android Enterprise to apply policies and data loss controls around the deployed PowerApps and then leverage Azure AD and MFA to secure the authentication and user identity.

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.
Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.