On 3 April 1973, Martin Cooper, a Motorola researcher and executive, made the first mobile call from a phone weighing a little over 1kg. Fast-forward to 2016. The average mobile phone is much lighter and faster than the 1973 version, it offers more functionality and it contains more computing power than the earliest personal computers. It seems clear that mobile technology is here to stay, as increasing numbers of consumers and enterprises alike adopt its convenience, speed and benefits. “As the number of people who own and use cell phones continues to grow, so does the use of smartphones. 91% of the US adult population currently owns a cell phone and of that 91%, 61% are smartphones.” 1 With such technological change, especially at the enterprise level, IT audit and security professionals must adapt to the changing threat landscape created by mobile applications (apps) by getting ahead of the risk by putting proper controls in place and testing mobile apps from conception to release.
In order for the proper controls for mobile apps to be developed and tested, one must first dissect the layers of risk. As illustrated in figure 1, there can be multitudes of layers, but the basic risk segments can be divided into four main mobile app security categories:
Enterprise or consumer-only apps share the same types of risk and threats. However, some enterprise risk factors are unique in their own ways and, to address this risk, one has to assess the business value proposition for creating enterprise apps. According to one article, “Mobile devices dominate consumer use to the point that enterprises are seeing the value of integrating them into the workplace as well.” 2 There are three desired benefits:
One of the challenges facing auditors is specifically assessing how to go about tackling risk factors in mobile apps. The layers illustrated in figure 1 help the auditor dissect the threat areas. Also, there must be some basic controls in place for more complex controls to be addressed and implemented. Although the testing framework proposed in figure 2 does not encapsulate all complementary controls, it focuses on the key controls required to have a basic maturity level around strengthening mobile apps security.
It is imperative that IT auditors work with all teams within the organization responsible for the development of mobile apps—business, IT development, IT security, legal and compliance. Auditors must facilitate the process of policing the efforts of mobile app development and implementing a basic robust framework that determines a minimum amount of security controls that allow mobile apps to withstand the risk of operating in a vulnerable mobile environment. In addition to the basic auditing framework laid out in this article, it is recommended to use a penetration testing framework that applies to all mobile apps prior to their release. In addition, penetration testing must be performed as the mobile app is updated and newer technology is put in place to support the app. This reduces the risk of external and internal vulnerabilities that can result in the compromise of data.
1 Collat School of Business, “The Future of Mobile Application,” infographic, University of Alabama, Birmingham, USA, http://businessdegrees.uab.edu/resources/infographics/the-future-of-mobile-application/
2 Poole College of Management Enterprise Risk Management Initiative, “Managing Risks of the Mobile Enterprise,” North Carolina State University, USA, 1 October 2012, https://erm.ncsu.edu/library/article/manage-risks-mobile-enterprise
Mohammed J. Khan, CISA, CRISC, CIPM
Is a global audit manager at Baxter, a global medical device company. He works with the chief audit executive, chief information security officer and chief privacy officers. He has spearheaded multinational global audits in several areas, including enterprise resource planning systems, global data centers, third-party reviews, process reengineering and improvement, global privacy assessments (European Union and the United States), and cybersecurity initiatives in several markets over the past five years. Most recently, he has taken on further expertise in the area of medical device cybersecurity. Khan has previously worked as a senior assurance and advisory consultant for Ernst & Young and as a business systems analyst for Motorola.