I was recently introduced to a published draft by the National Institute of Standards and Technology (NIST) from the U.S. Department of Commerce which talks about assessing the threats to mobile devices & infrastructure. The document discusses the Mobile Threat Catalogue which describes, identifies and structures the threats posed to mobile information systems. This blog summarizes the 50-page document with added context and commentary based on my experience in the mobile industry helping organizations building mobile apps.
More than ever before in today’s connected world, the security and protection of our information has the highest priority. Recent Distributed Denial of Service (DDoS) attacks that brought down the internet were generated with the unauthorized use of the Internet of Things (IoT) devices, proving yet again that security breaches can be crippling. The use of mobile devices continues to grow globally and most organizations now have mobile apps that access mission critical information. It is then important to have a broader view of the entire mobile security ecosystem and understand everything that involves mobile security. As they say, “information is the most powerful weapon” - in this case to protect our mobile solutions.
The NIST document outlines a catalog of threats to mobile devices and associated mobile infrastructure to support development and implementation of mobile security solutions to better protect enterprise information technology (IT). Smartphones and tablets running modern mobile operating systems are the primary targets in this analysis, not IoT devices.
Mobile devices contain integrated hardware components to support a variety of I/O mechanisms and while some of the communication mechanisms are wireless (i.e., cellular, WiFi, Bluetooth, GPS, NFC), they also include physical connectors (i.e., power and synchronization cable, SD cards, SIM cards, etc.). Wireless and wired device communication mechanisms expose the mobile device to a distinct set of threats and must be secured or the overall security of the device or app may be compromised. 
What do we secure?
Since mobile devices can store a lot of data, personal and enterprise data becomes a target, from sensitive information like home address, telephone number, medical information and credit card numbers to authentication information (users & passwords). Protecting data also means protecting identity as identity theft can be used to gain unauthorized access to information that can then be compromised or stolen.
Mobile Security Ecosystem
Here the Mobile Security Ecosystem relates to general threat categories that need to be reviewed and understood.
Threats to mobile apps can be classified in 2 groups:
- Software vulnerabilities to exploit data residing within the mobile app running on the mobile operating system, and
- Malicious or privacy-invasive apps that identify malware based threats to damage your device and/or mobile service.
There are different types of authentication mechanisms for mobile apps; authentication access to devices, to remote services, to remote networks, and to enterprise systems. Vulnerabilities in the mobile apps represent a very high risk of compromising sensitive personal or enterprise data. In summary, mobile app security is about data protection in the mobile app itself.
Checklist for Securing Mobile Applications
While building mobile apps, the architecture, and design of the app becomes a critical first step for security, decisions need to be made and best practices need to be followed.
Here’s a checklist of considerations for the architecture design.
- Data transfer encryption
- Data-at-Rest encryption
- Store on device and/or store on the cloud
- Data input validation
- Use of tokens or keys
- Hashing and salting passwords
- Authentication and corporate Identity Management Integration
- Security policies with an Enterprise Mobility Management system (EMM)
- Need for VPN connectivity
- Backend integrations (legacy, web services, RESTful APIs, etc.), use only the data you need, do not transfer everything
- Secure storage in the cloud and on-premise
- Files permissions
- Log files and auditing information
- Plan for penetration tests
- Government or regulatory compliance
- Choice of Mobile Application Development Platform features
More information about mobile app development security best practices by major players in the space:
- Security best practices for Cordova apps
- Apple iOS apps security guide and iOS security development checklist
- Best practices for Android apps security and privacy
Enterprise Mobility Management
EMM systems are a common way of managing employee mobile devices in an enterprise. They include a combination of mobile device management (MDM) and mobile application management (MAM) functionality. MDM focuses securing and monitoring mobile devices, while MAM focuses on app distribution and controlling user access to apps. The key feature for EMM systems is to deliver mobile policies, such as only allowing a whitelisted set of applications to run, remote data wipe, ensuring a lock screen and disabling certain device peripherals (e.g., camera). Different vendors offer different sets of policies, it is important to compare and review differences. These are implemented via SDKs developers have to use while building apps or by a “wrapper” mechanism on built mobile app binaries.
Other sources of vulnerabilities in the mobile ecosystem
Mobile Operating Systems
Vulnerabilities found at mobile operating systems level which are typically addressed by the platform vendors in a form of patch or new release (Android, iOS, Windows). An example of vulnerabilities is Android 2.3 Gingerbread which is no longer supported by Google and has been considered one of the mobile operating system versions with the most malware attacks.
Plugins provide access to device hardware and other peripheral device functionality that is ordinarily unavailable to web-based apps (i.e.. camera, geolocation, device motion, accelerometer, vibration, battery status). Apache Cordova plugins are an example of mobile apps using device functionality and a potential security risk, especially when developers create their own plugins or identify a vulnerability on Cordova. Just like the mobile operating systems, Cordova, and similar products report and address security issue, for example, a critical issue identify on Apache Cordova for Android 4.0.2 and 3.7.2 releases.
SD cards are removable memory used to expand the storage capacity of mobile devices to store data such as photos, videos, music, and application data. Similar other media devices in the Laptop/Desktop world, SD cards can be source of malware and spyware.
This removable hardware is a chip housing the International mobile subscriber identity (IMSI) needed to obtain access to cellular networks, pre-shared cryptographic keys, the phone number and even contact information. Every mobile device has a SIM card (3G & 4G) making it the most widely used security token in the world, still hackers can send properly signed binary SMS (text messages), which downloads Java applets onto the SIM that can access phone number and identity information. Use of modern SIM cards with the latest cryptography an SMS firewall for selection of binary SMS to trust are recommended to secure SIM Cards.
Mobile carrier infrastructure and interoperability
This relates to the Mobile Operator and includes threats to the base stations, network backhaul, cellular network cores and signaling threats associated with the widely used Signaling System No. 7 (SS7) networks in the mobile networks. With 4 Generation (4G) mobile networks the move from proprietary networks and protocols to IP-based networks brought a lot of changes, many of the positive from the operation side, but at the same time brought new security risks never seen by Mobile Operators. There is not much either a mobile app developer or an organization can do at the network infrastructure level to tackle such vulnerabilities, but it is important to be aware of the risks at infrastructure and interoperability level.
There are many more details, a lot more things to learn with regards to mobile app security, an understanding of the ecosystem and the security threats is a good first step to take on building your secured mobile solutions.