Wandera helps manage the risks a mobile fleet poses to corporate data  

The company offers a secure mobile gateway in the cloud that customers route data through, and a corresponding app that gets installed on end user devices

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

The 2016 holiday shopping season is barely in the rearview mirror and already the retail analysts are claiming that sales via mobile devices hit a new all-time high. According to Google Analytics data, 30% of all online shopping now happens on mobile devices.

That’s good news for e-commerce companies—assuming they provide shoppers with a secure application that isn’t leaking sensitive information such as user credentials and financial transaction data. How long will it be before we hear of a significant data breach due to a poorly secured mobile app?

Wandera, a company that provides security and management for mobile data, recently issued its 2017 Mobile Leak Report, which outlines threats to enterprise mobile data. The report covered a three-month span in 2016 in which Wandera observed leaks and threats to sensitive data in more than 200 mobile apps and mobile-specific websites. Data leaked included 16-digit credit card numbers coupled with expiration dates and other details needed to reproduce that information in a way that an unauthorized person could make an actual purchase.

In other cases, Wandera observed the leakage of usernames, passwords, email addresses, phone numbers, users’ physical addresses, passport information, and lots of financial data. Apps that leak usernames and passwords are worrisome because credentials, in the wrong hands, can allow a bad actor to access much more than a single transaction.

Wandera’s researchers tested the data security and privacy capabilities of numerous types of mobile apps and found that cloud storage services and other apps found in official app stores seem to have good security practices. The company reasons that those services have been built and are maintained by companies that have an established security process in the app development lifecycle.

Close to 60% of the leaks identified by Wandera came from just three categories of mobile apps: news and sports, shopping sites, and custom Internet pages and homepages for business providers. In short, the majority of data leaks come from the types of apps and sites that mobile workers use and visit on a frequent basis.

Oftentimes vulnerabilities are introduced when app developers don’t spend sufficient time and effort to test their apps end-to-end before rushing them to market. Wandera cites one example of a travel app that allows people to purchase plane tickets. The initial ticket purchase is fully secured. However, if the traveler goes back into the app to purchase a seat upgrade this portion of the routine fails to fully secure the credit card transaction.

Wandera offers a variety of services to secure and manage mobile data. While enterprise mobility management (EMM) tools tend to focus on the device, Wandera focuses on the data that goes from the device out to the Internet and back, making these two mobile security approaches a complement to each other.

Wandera’s customers tend to be global companies that have a mandate to protect certain types of data. These clients generally have a lot of knowledge workers who use mobile devices to access and process corporate data. The devices can be company-owned or personally-owned; what’s important is the data, not who owns the device.

Wandera’s solution is based on a secure mobile gateway in the cloud that customers route their data through, and a corresponding app that gets installed on end users’ devices. The endpoint app does some local scanning on the device and configures the ability to direct the traffic from the device through the cloud gateway without using a VPN. Any web request coming off a protected device goes through the cloud service where Wandera can apply various forms of screening and protection. For example, the service looks for outbound requests that are intended to go to a known malicious site and prevents that action. If the device is attempting to transmit sensitive data in the clear, Wandera can block the connection or take other actions as specified by the customer organization.

When these transactions are occurring, some of the traffic is HTTPS and it merely flows through the gateway service uninspected. If the traffic is not encrypted, Wandera inspects all sorts of conditions, such as where the traffic is going, whether the target app or website has vulnerabilities, and whether the content is unprotected PII. Wandera says it uses machine learning and data science to make sense of the vast amount of information flowing through the gateway service.

Wandera evaluates the risk in various mobile apps and websites. If the researchers identify a vulnerability, the company reaches out to the app or website owner to notify them of what was found. It then packages up information about the vulnerability and shares it with the offending company and leads them to fix it before other users of the app are affected. For example, just before the Super Bowl in 2015, Wandera found a vulnerability for data leakage in the official NFL app at a time when millions of people would want to use it. Researchers notified the app owner so they could address the vulnerability and issued a public threat advisory.

A key part of the Wandera solution is a small app that gets installed on each mobile device. This code was built to be tamper-resistant so that an end user can’t deactivate or remove it to circumvent the security. The app uses about 2% of the device’s resources, so it won’t drain the battery when running. What’s more, the security operations are imperceptible to the end user, so there is no change to the mobile data browsing experience.

Many organization allow employees to use their personally owned devices. They typically have a policy that requires users to allow data and device monitoring, within reasonable limits. For example, users expect to have corporate activities monitored on the device but not their private activities. Wandera accounts for BYOD through a privacy preserving feature in the reporting engine known as Radar. Reports track data and activities by a device identifier rather than by a user identifier. What’s important to Wandera is that corporate data is protected according to policy. What end users do with their private browsing and app use is of no interest.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT