Mobile Application Security – CompTIA Security+ SY0-401: 4.2

Managing the applications running on mobile devices requires some additional security planning. In this video, you’ll learn about key management, managing credentials, geo-tagging, and application whitelisting.

<< Previous Video: Mobile Device SecurityNext: Mobile BYOD Concerns >>


Our mobile devices store a lot of data, and if we want to protect that data then we’re going to need to encrypt that information. Fortunately, there’s a lot of encryption technology already within your mobile device, and being able to store that information becomes even more important as that mobile device moves around the world. You want to be sure that nobody gets their hands on your private information.

Many times you can store this data encrypted on the mobile device. So as soon as you see it on the screen, you store it to the device and immediately it’s going to be encrypted. Very often, the memory itself will allow you to encrypt the data, and you have to have the proper credentials to get into that mobile device to be able to gain access to the data. Of course, we’re going to be sending that data across a network. It’s going to be a wireless network, a Bluetooth network, the mobile provider’s network.

So there are encryption and security APIs– these are application programming interfaces– that send this data across the network via SSL, which is obviously a very popular and ubiquitous encryption technology. Usually if you’re communicating back to a mobile device manager, you will need to set up that mobile device manager with the proper SSL certificates.

You’ll need to have something like a trusted certificate authority or have your own certificate authority in your organization that then is pushed down to your mobile device, so that the mobile device will then trust the device that it’s communicating with. It’s usually your mobile device manager administrator who’s setting up these policies for encryption, so they’ll be sure that your mobile device will encrypt data on the device as well as encrypt the data as it’s going across the network.

Many of the applications on our mobile devices require that you log in with a user name, password, or some other type of authentication mechanisms. This is usually something that’s separate from the application code itself that someone is writing, and it may be integrated into the mobile device itself. These are almost always server based, so your credentials– the user name and the password– are often stored on that remote device. That way it’s very easy to manage the user name and the password and whatever credentials you’re using.

If you had all of those credentials running on all of your different devices, the administration of those may be a little bit more difficult to manage. These are often communicated across the network in an encrypted form, so SSL is commonly used to be able to communicate out most common wireless networks or mobile device networks.

Sometimes the application doesn’t actually do any encryption, and that’s a problem if we’re sending information out over the network. So it’s very common for a mobile device manager administrator to do some auditing of the applications to make sure that when information is sent from one end of the network to the other, that all of that information is going to be encrypted and completely protected. It’s also common, both on our desktops and our mobile devices, to use a third party encryption mechanism to gain access to an application.

One very common one is you’ll see a button to log in with your Facebook credentials, or log in with your Google credentials. Those are using something called a transitive trust. If you’re authenticating properly with Google, we can trust then, therefore, that you are that user and we’re going to allow you then access to the application that you need to use.

The location services functionality on our phones and tablets always know where we are. And it uses a number of different mechanisms to be able to narrow down where you happen to be. Might be a GPS. It might be using the wireless network you’re communicating with. Or it may triangulate where you are based on your mobile provider’s antennas. In any case, your device is going to keep track of everywhere you go and it’s going to add this device location information to the metadata of the documents you create.

If you take a picture, if you store a document, the location of where you created that picture and where you saved that document is going to be included with the information that is sent and stored on your device. This means that anybody who receives that document can look through the metadata and determine the longitude and latitude of where you happen to be. This is very easy to track. It’s not encrypted. It’s simply included in plain text with the document that you happen to be sending.

So this can obviously have some security concerns associated with it, especially if you’re not interested in telling people where you happen to be. If you upload a picture to social media, the social media will often determine where you are and not only post your picture, but tell everyone where this picture was made by looking at the longitude and the latitude. So if you’re trying to maintain a level of privacy and not let people know your exact location, you may want to see about changing a number of these location services on your mobile device.

Our phones and our tablets are mobile computers. Extremely powerful technology. And we usually have a number of different applications that we run on these mobile devices. Some of them are games. Some are business applications. But all of them have to be loaded and run on that mobile device. The challenge, of course, from a security perspective is that not all of these applications are secure. Some are absolutely malicious and are designed to gather as much data as possible and send that off to the bad guys.

Android malware specifically is a growing concern and there has to be a balancing act between what you want to allow your users to run and also keep all of their data safe at the same time. Many mobile device manager administrators will address this challenge by creating application whitelists. They will have a list of the applications that are allowed to be installed and run on that mobile device. Every other application is therefore not allowed on those mobile devices.

This obviously requires a bit of administration by whoever’s using the MDM, because every time a new application needs to be included, it then would have to be added to this whitelist. And that may be a good trade-off for your organization. You might not mind adding new applications to the whitelist if you can be assured that it’s going to protect both your user’s data and your company data from anything malicious on that mobile device.