Why mobile app security matters in the age of IoT

Fifty billion. Think about that number. It’s seven times bigger than the planet’s entire population at the moment. That’s how many devices will be connected to the internet by the time you’ve had another five birthdays. Clearly, the vast majority of those devices won’t be in your pocket, in your briefcase or satchel or on your desk.

Those things will be controlling the air-conditioning and heating systems in your home, managing pacemaker and insulin pump, controlling lights and curtains so the light level in your home or office remains constant and giving a live view of what’s going on at home or work from a security camera.

And a great many of those devices will be collecting and streaming data to mobile devices. Welcome to the mobile powered Internet of Things (IoT).

When people think about mobile app security, their main areas of concern are often things like data leakage from banking apps, their personal information being siphoned off by poorly coded or intentionally malicious software or even programs that use the microphone and camera in your smartphone to spy on you. Sometimes, those actions are intentional but, as a recent study from Gartner showed, poor application design resulted in 75% of all the mobile apps they tested failing basic security tests.

Those error levels come about as the result of a variety of factors. Developers might be under pressure to rapidly develop and deploy software in order to meet marketing targets. Or cost cutting means that important testing processes are abbreviated or the software is created by less-skilled developers who are hired on price rather than the quality of their work.

People are rightly concerned that their personal data and privacy could be compromised either intentionally or accidentally by poorly coded software. But imagine if a badly written app resulted in someone’s death because either a software error or malicious actor manipulated the operation of a device that’s meant to help sustain life.

Many of the concerns about IoT security have, justifiably, been focused on the design of those billions of small devices. Many are very inexpensive and are so limited that they even lack the memory capacity to receive a system update, much less have a mechanism for receiving updates. Some, such as a Miele dishwasher, are rushed to market with poorly secured software that allowed hackers to manipulate the device’s operation.

A more serious issue – one that could have threatened global security – played out just a decade ago. The US vice-president, Dick Cheney, was known to have heart problems and had been fitted with a pacemaker. That pacemaker was equipped with a Wi-Fi radio so it could be monitored and programmed by doctors without further surgical intervention. Incredibly, that device was poorly secured and could have been manipulated by a threat actor, causing the vice-president to having a major heart attack and die.

It was estimated that the time for such a threat to be executed resulting in death was less than ten seconds.

The good news is that many of those devices can be managed securely even if the devices themselves aren’t built with security as a primary focus.

In order for IoT devices to do anything useful, they need to communicate and a great many of them use smartphones as their command and control centre. By designing mobile applications, that work with IoT devices, in a secure environment you can ensure data being sent to and coming from IoT device is not tampered with. Thus some of the main risks around IoT can be mitigated.

So, how do you ensure apps aren’t tampered with and that data isn’t intentionally or accidentally siphoned to and from IoT devices that are managed through mobile apps? The answer is to start by developing applications within a secure environment that ensures application updates that address newly discovered issues are deployed and that applications can be properly assessed for vulnerabilities by looking at they handle data, ensuring that applications only run on platforms with certified firmware that haven’t been ‘rooted’ with non-standard firmware. Encryption can be used to protect applications and the data they handle.

The Quixxi approach uses two different sets of tools to better support mobile device security so IoT environments can be better protected.

Quixxi Security assesses applications and helps find vulnerabilities before they become serious threats. It does this through a variety of techniques such as penetration testing and validating that the apps are running on secure environments.

Quixxi Supervise allows the app itself to monitor the security stance of the device it is running on, and more importantly, its own integrity. If the app detects the mobile device state is insecure – it won’t launch. Similarly, if the App detects it has been tampered with – it will terminate, or optional, warn the user.

Together, these tools help secure the apps that control IoT devices which will become an indelible feature of our workplaces and homes.

Try it for free today at quixxi.com

Is your mobile app for your customers handles any sensitive information (personal, health, financial) then it is a potential target for threat actors? The Quixxi Security suite assesses how secure your app is and optionally allows you to shield it against attack. All with one click, from your finished App. Head over to quixxi.com and get a free vulnerability test, it only takes a few minutes to identify where the vulnerabilities are and prevent any risks before it is too late.