Using Certificates to Secure the Rising Tide of Mobile Apps

Those who have been in the IT industry for 20 years or more will have witnessed enough changes to fill the sea twice over. Each change is necessary, but some are more interesting than others. For example, the rise of mobile applications is undoubtedly one of the biggest waves of change to hit the world of business.

Who’s responsible for mobile app security?

With consumer mobile applications such as video games and social media, it is easy to spot security vulnerabilities if you are someone with a background in the field. However, mobile app developers do not naturally possess a deep knowledge of security, which can ultimately leave their applications open to risk that hasn’t even occurred to them.

Personally, I've been involved with Public Key Infrastructure (PKI) since the start of my career, when I helped develop applications for the U.S. government. As such, security has always been my first consideration. And one of the first points I sought to clarify at the dawn of mobile applications was to find out who was responsible for distributing and managing mobile security certificates. (See this Venafi blog post for a detailed look at some of these questions: Forrester Research Uncovers Gaps in Mobile Certificate Security.)

Security issues with mobile apps are on the rise

Awareness of the mobile-app-security issue has gone mainstream in the wake of recent certificate-related incidents that have captured consumers' attention. Legions of coffee drinkers deleted the Starbucks mobile app in response to hacks that parlayed Starbucks's weak security into direct access to customers' bank and credit card accounts. Similarly, the OnStar RemoteLink app's weak certificate checks enabled hackers to track, unlock, and even start GM cars remotely, which made GM drivers think hard about using the vehicle manufacturer’s mobile app. GM fixed the issue, but many of its rivals seemed to have ignored it; recently, a hacker exploited the very same certificate weakness in iOS applications for BMW, Mercedes, and Chrysler.

Problems like these show just how crucial digital keys and certificates are; indeed, they are the foundation of security for all connected devices. Yet with even the most conservative organizations developing business applications for mobile devices, keeping track of them has become difficult. As I write this, businesses continue to expose information that was previously restricted to their own networks.

To further muddy the mobile-security waters, the Bring Your Own Device (BYOD) revolution has meant that employees are accessing business information using devices that are outside of organizational control. All this has made verifying digital certificates much more difficult. Yet until these conditions change, cybercriminals will be able to misuse digital certificates and take advantage of company or employee data residing on mobile devices, simply because it's easy to do.

Digital certificates must be secured to keep your mobile apps safe

To prevent this misuse by cybercriminals, mobile app developers must be able to manage and protect their cryptographic keys and digital certificates. Venafi has security tools available today that allow developers to discover and control certificates on mobile devices. Venafi also integrates with most mobile device management (MDM) solutions to help enforce business-established policies, which can keep you afloat on a sea of regulations and security requirements.

How does your enterprise use certificates to secure its mobile apps? What do you see as the biggest security challenges to enterprise apps and mobile device usage?