Most people aren't thinking about security and data privacy when buying a scone at Starbucks with their phones, playing Angry Birds while commuting, or using whatever clever app is the cornerstone of your digital business strategy. If they give security any thought, they figure the developers took care of all that for them. The app is from a reputable company, and they got it from the app store -- or even directly from their employer. What could go wrong? A lot.
The global mobile infrastructure is a complex, interconnected, and desirable target. Companies must tackle potential security problems when formulating a B2B or B2C mobile strategy. While security particulars vary widely, depending on the type of app being deployed, it's up to IT leaders to ensure that user convenience never trumps protection of valuable enterprise or consumer information.
1. Insecure data storage
The Starbucks mobile app is one of the most widely used mobile payment apps in the US. Consumers simply enter their passwords once when activating the payment portion of the app and use it again and again to make unlimited purchases without having to re-input their password or user name.
While that might be convenient for a caffeine-starved public, Starbucks recently confirmed that its app was storing usernames, email addresses, and passwords in clear text. That allowed anyone with access to the phone to see passwords and usernames just by connecting the phone to a PC. Clear text also displayed users' geo-location tracking points. With this information in hand, unauthorized individuals would have the credentials to log in to the Starbucks website as well. It's common for users to employ the same username and password across systems, so if someone compromises that particular password, the potential also exists for them to compromise additional user accounts.
Design apps in such a way that critical information such as passwords and credit card numbers do not reside directly on a device. If they do, they must be stored securely. For iOS, passwords should be stored within an encrypted data section in the iOS keychain. For Android, they should reside within encrypted storage in the internal app data directory, and the app should be marked to disallow backup.
Read the rest of this article on InformationWeek