How to secure the mobile apps for the WFH world
There’s a wonderful, amazing, incredible explosion in mobile apps for work. This explosion brings excitement and new ways of engaging, working, sharing, asking, rewarding, and preserving the mental health and wellness of all employees. At the same time, this explosion brings new security challenges and risks for both the developers of workplace apps and for the IT & security professionals whose employees want to use these apps. Let’s examine why.
“There’s an App for That” – the Enterprise-Version
A simple Google search for “Top Apps for Work” or “Top Work From Home Apps” reveals a very different picture than the same search would have yielded 2 or 3 years ago. In the early years of enterprise mobile, employees would typically use a really small handful of approved mobile apps in the workplace, on mobile devices issued and controlled by their employer. Then, BYOD emerged and allowed employees to ‘enroll’ their personal devices in mobile management systems, partially ceding control of the device to their employer in order to gain access to more apps. Fast forward to today, mobile app usage at work is almost totally democratized. WFH employees use dozens of apps for work on their own unenrolled/unmanaged devices almost at will, for many different work-related purposes – to get work done efficiently, to chat with their colleagues in real-time, to stay well, mindful, fit, productive, and more. These mobile apps, sanctioned and unsanctioned, are used for everything work-related. The entire work lifecycle lives and breathes inside mobile apps.
The Evolution of Mobile Work
You may not remember what it was like to use mobile apps in the workplace circa 2015. Way back then, Microsoft Office and Office 365 dominated this landscape with work email, calendar, and office productivity apps such as word processing, spreadsheets, and presentations. That was about it. During this time, companies like VMware (AirWatch), MobileIron, and BlackBerry sold UEM/EMM solutions to provide email and productivity apps that competed with Microsoft as well as manage devices issued to corporate employees.
Around 2015, IT organizations began to expand their acceptance and adoption of mobile apps in the workplace to include a broader set of Android and iOS apps. IT began to review and, depending on the security model in these apps, sanction apps like expense reimbursement (e.g., Oracle Expenses), social enterprise apps (e.g., Slack, Jive, Mattermost), Business Intelligence apps (e.g., Tableau, Microstrategy), Cloud Storage (e.g., Box, Dropbox), and CRM (e.g., Salesforce). At the same time, VMware (AirWatch), MobileIron, and BlackBerry expanded their offerings by adding private app stores to distribute and manage workplace apps, along with encrypted VPN tunnels back to the enterprise network.
Then, in 2019, COVID hit the workplace and transformed what ‘mobile work’ means entirely. COVID ushered in a record-breaking increase in the types of mobile apps used for work as well as a surge in mobile app usage. The existing trend towards mobile was accelerated in COVID. COVID was/is both a forcing function and a catalyst for the trend towards mobile work. The pandemic catapulted remote work to the default use case almost overnight, and app developers stepped in to meet the new needs of the WFH workforce. Today’s workplace bears little resemblance to the workplace of just 2 years ago.
Enterprise Customers Have High Expectations for App Security
If you’re an app developer that builds apps for today’s workforce, you already know that your customers have high expectations for the security protecting their data inside your mobile app. When your dreams of large enterprises using your apps come true, enterprise security expectations will be even higher. Enterprise customers require sophisticated security features to protect data, access and use of mobile apps when connected to the enterprise as well as offline. You may not have the resources or expertise to protect your app the way your enterprise customers want you to. How do you, as developers and IT professionals stay ahead of the security risks and continue to expand the adoption of mobile apps by enterprise users?
Top 100 Mobile Apps for Work the IT Team Doesn’t Know About (Yet)
Let’s take a look at the Top 100 or so mobile apps for work – divided across 20 distinct categories, many of which are completely new!
- HR Automation– Rippling, Gusto, Successfactors (SAP), BambooHR, Connecteam, Workato
- Payroll Automation- Paychex Flex, Paycor, ADP
- Accounting Automation – Quickbooks, Sage Intacct, Freshbooks, Xero
- Workplace Mindfulness & Wellness – Headspace, Whil, CircleCare, Calm, 15Five
- Employee Assistance Programs (EAP) – LifeWorks, Limeade, MoveSpring, Ulliance
- Benefits Mgmt – Justworks, Zenefits, Gusto, Rippling, League Bswift, Ease
- Learning & Development – Pathgather, Degreed, BetterWorks
- Collaboration Tools – Notion, Figma, Miro, Airtable, and monday.com.
- Messaging & Communication – Slack, Blink, MS Teams, Brosix
- Expense Management – Expensify, Oracle Expenses, Neo
- Travel Management – Egencia, TripActions, TravelPerk, TravelBank, Spendesk
- Surveys – Surveymonkey, Typeform, Qualtrics, Alchemer, ConstantContact, SurveySparrow
- Spend Management – Airbase, Coupa, Ramp
- Quoting Tools – NetSuite QuoteEdge, mHelpDesk, Bitrix24
- Project & Task Management – Atlassian, Asana, Trello
- Business Processes – Jira, Zoho Creator, Lucidchart, Miro, Smartsheet, Asana
- Employee Engagement – Energage, Blink, Glint, Bonusly, Honey,
- Electronic Signature – Adobe, DocuSign, HelloSign
- Time Management – Todoist, Stay Focused, Toggl
- Covid Vaccine Tracking – ReturnSafe, ADP, Workday, Oracle
As you can see, there is a far greater number and variety of apps used for work today. On top of that, mobile apps are used much more frequently, across an expanding set of discrete tasks, and over longer periods of time. As a result, the store of mission-critical business data is getting increasingly dispersed across a greater range of mobile apps. Employees’ personal data (and PII) are also increasingly stored inside mobile apps for work, often unprotected. All of this creates a wider attack surface for hackers to target and attack. The increased use of mobile apps at work also provides the right incentive for bad actors to prioritize attacks on apps for work. This Darkreading article about the top mobile app security breaches captures the gravity of the problem. And as you can see in the article, even unquestionable success stories like Slack were not immune. Good news for app developers is that all hope is not lost. Keep reading to understand what you need to do in order to build enterprise-ready mobile apps that protect both employee and employer data at the same time (and will also keep you and your apps out of the headlines).
How Can Developers of Apps for Work Keep Work Safe?
Here are some of the basic security strategies developers should consider in building the next generation of apps for work:
Include Basic Cyber Security Protections in Your Mobile Work Apps
A good starting point for protecting a workforce app is data protection. For example, encrypt data at rest using AES-256 encryption and protect data in transit with TLS, strong encryption, and a robust defense against MitM attacks. You need data encryption to protect business data stored in the app (as well as in the code itself). You can also use certificate pinning to ensure that the connection between the app and your server is not compromised. Best practice would also suggest using Jailbreak/rooting prevention to guard against privilege escalation that makes it easier for attackers to access the mobile app sandbox or data stored on the SD card.
Build Apps for Work that Pass Enterprise Pen Tests
Enterprise IT and internal security teams are demanding that all Android and iOS mobile apps for work pass penetration tests, vulnerability assessments, and code scans before being put into production and the hands of mobile employees. Failing a pen-test or vulnerability scan can put a big roadblock in deployment, lead to canceled projects, degraded employee productivity, or an all-out prohibition of the app. At a minimum, consider code obfuscation, tamper prevention, and debugger prevention to satisfy this requirement.
Safeguard Mobile Work Apps with Mobile Malware Protection
Mobile users will run your app on their own personal and unmanaged devices. This exposes your mobile app to malware threats on the user’s device. Preventing dynamic instrumentation tools like Frida and Rooting frameworks like Magisk have a dual purpose for your app for work – it protects the data and your users, and satisfies the most stringent pen test demanded by the top enterprises as well.
Ensure the App for Work Will Not Become a Trojan
Remember EventBot? The EventBot malware masqueraded as a legitimate workplace app (Microsoft Word and Adobe). Once on a device, malware writers had a field day with mobile banking apps during the height of the pandemic. I list this separately from malware because trojans, by their very definition, are typically hidden and buried inside other apps, lying dormant until they make their way onto the devices of unsuspecting users who were tricked into downloading malware or a fake app. Once on the device, the malicious code is invoked and proceeds to do what it was programmed to do. You can read our malware series if you’re interested in learning more. To address this requirement, consider protections like runtime bundle validation, preventing binary patching, and validating app store signatures stringently to help thwart trojanization of mobile apps. And you can protect your apps using features like overlay attack prevention, block key injection and prevent accessibility abuse if trojans and malware do find their way onto the mobile device.
Add UEM/MAM for Large Enterprise Customers
And finally, if you’re an app developer who builds apps aimed at enterprise customers, chances are you’ll eventually need to ensure compatibility with UEM/MAM systems like Microsoft Intune, VMware Workspace One, BlackBerry Dynamics, etc. You can use Appdome to make any iOS and Android apps compatible with any leading UEM solution without any coding.
If you’re a developer who builds mobile applications for work, or an IT or security professional looking to protect this class of apps, a robust in-app mobile security model is table-stakes. You don’t need to reinvent the wheel, but you do need to take steps to protect business data and employee PII, and in some cases work-health data inside your app. The risks to mobile work are varied and complex. I hope you found this blog a helpful starting point to protecting your workforce, users and data in your mobile app.
If you would like to see Appdome in action and you’ve got 15 minutes to spare, use the button below to request a live Appdome demo. I’d be happy to demonstrate how you can use Appdome to instantly build security and anti-fraud features into any mobile app in minutes.Request a Demo