Interview: Building secure apps from the ground up
Digital transformation is allowing companies to automate many in-house processes and make them more efficient by building their own apps.
However, these apps need to have security built into them from day one, or they may unknowingly become another threat surface attackers can leverage.
Techday spoke to Mobile Mentor mobile security head Liz Knight about common threats they’re facing, how companies can secure their apps, and why this is important.
What are your roles and responsibilities as head of mobile security with Mobile Mentor?
I lead a team of specialised engineers that are experienced in deploying mobility solutions to government and enterprise customers.
We are trained and certified with the major Unified Endpoint Management (UEM) vendors as well as Google and Apple which gives a holistic understanding of the mobile ecosystem.
The team is responsible for designing and implementing mobility solutions that have integrations with customers cloud and on-premise infrastructure.
This includes securing devices with the latest vendor solutions including Apple Business Manager, Google Android Enterprise and Samsung KNOX, protecting devices from malicious applications and designing specialist configurations to meet customers’ security requirements.
We have unique knowledge and experience in how to deploy and secure enterprise apps, enabling Single Sign On (SSO) and access to remote systems.
Why is mobile security important in app building?
Security should be a key consideration from the initial design phase before any build even begins.
Apps can be vulnerable to data leakage, malicious code insertion, privacy issues and other security threats.
Securing enterprise apps may be as easy as adding an SDK such as the Intune App SDK to containerise and encrypt app data or the ADAL library to enable SSO leveraging Azure Active Directory (AAD) during the build phase.
You don’t want to finish your app build and then realise the app is not secured and users can’t authenticate using their corporate credentials.
What are the security threats you've encountered and what other trends are you seeing?
While we don’t see much rooting or jailbreaking of devices these days, we do see threats from insecure networks, browsing and malicious apps.
Many older Android devices are not encrypted which means data leakage is a major concern.
Some apps look reputable but maybe sending data offshore to third-party servers and have access to the device KeyStore and other functions such as the microphone and camera.
We recommend customers use a Mobile Threat Defence (MTD) solution to get visibility of risky apps and integrate with an UEM solution to automate the quarantining of devices that have been detected with malicious apps installed.
How does PowerApps factor in security from the app building stage?
PowerApps leverage Azure Active Directory for authentication out of the box which includes the ability to enable Multi-Factor Authentication (MFA).
MFA requires the user to provide an additional factor of authentication before access to an app is granted.
Is there the possibility to integrate offerings from external security vendors?
Yes, the best approach to PowerApps security is a layered approach.
Start by using an UEM solution such as Intune to secure the device layer, then leverage vendor solutions such as Apple Business Manager and Android Enterprise to apply policies and data loss controls around the deployed PowerApps and then leverage Azure AD and MFA to secure the authentication and user identity.