July 11, 2025 • 12 mins
In this insightful episode of "Upwardly Mobile," we look into the critical importance of extending Zero Trust principles to consumer-facing mobile applications. Despite the widespread adoption of the "never trust, always verify" security model across enterprises, mobile apps often remain a significant blind spot, operating in uncontrolled and untrusted environments. This oversight exposes organizations to sophisticated attacks, directly impacting customer trust, regulatory compliance, and revenue.
Why is mobile the weakest link in today's Zero Trust architecture and how modern threats like silent escalation, runtime tampering, and reverse engineering specifically target the post-installation, runtime environment of mobile apps. With over 33 million mobile cyberattacks recorded globally in 2024, the urgency to act is clear.
Learn about the strategic roadmap for closing this mobile security gap by embedding Zero Trust at the app runtime layer. We discuss how established frameworks such as NIST SP 800-207, the CISA Zero Trust Maturity Model, OWASP MASVS, and the MITRE ATT&CK Mobile Matrix can be adapted to secure mobile applications, focusing on continuous monitoring, verification, and protection.
Key takeaways include:
• The "Never Trust, Always Verify" Principle for Mobile: Every interaction, from the mobile app to backend APIs, must adhere to strict verification protocols, treating all mobile devices as potentially untrusted.
• The Criticality of Runtime Protection: Traditional pre-deployment checks are insufficient as attackers manipulate apps after installation. Continuous monitoring of app integrity and behavior is essential.
• Key Components for Mobile Zero Trust: This includes strong Authentication and Authorization (including MFA), Mobile App Attestation to verify app and device integrity, robust API Security, and Secure Communication (e.g., TLS with certificate pinning).
• Dynamic Secrets Management: Avoid hardcoding secrets. Instead, manage and deliver them dynamically from the cloud, ensuring sensitive data is never exposed client-side.
• Operationalizing Zero Trust Frameworks: Implementing a runtime-centric approach where security decisions are made inside the app, feeding app-level insights into enterprise security operations.
• The Business Impact: Proactive mobile app protection reduces breach risks, streamlines compliance (PSD2, GDPR, HIPAA), accelerates secure product delivery, and builds user trust, demonstrating measurable ROI.
Sponsored by Approov: Approov provides a comprehensive solution for implementing Zero Trust security in mobile applications and their APIs. Their features include Positive App Authentication, Man-in-the-Middle Attack Protection, Dynamic Secrets Management, and Comprehensive Environment Checks to detect compromised devices and malicious instrumentation. Approov ensures that every call to an API from the mobile app is from a genuine, unmodified app running in a safe environment, with policies updated in real-time.
Relevant Links & Resources:
• Approov Mobile Security Knowledge Base: Approov Mobile Security Knowledge Base
• How to Implement Zero Trust for Mobile Apps (Approov): How to Implement Zero Trust for Mobile Apps
• Why Is Zero Trust Not Systematically Applied to Mobile App Security? (Approov): Why is Zero Trust Not Systematically Applied to Mobile App Security?
• Promon SHIELD® for Mobile & More: Products
• A guide to Zero Trust for your mobile apps (Promon): Bringing Zero Trust to mobile applications
• OWASP Zero Trust Architecture Cheat Sheet: OWASP Zero Trust Architecture Cheat Sheet
• OWASP Mobile App Security Verification Standard (MASVS): .css-j9qmi7{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;font-weight:700;margin-bottom:1rem;margin-top:2.8rem;width:100%;-webkit-box-pack:start;-ms-flex-pack:start;-webkit-justify-content:start;justify-content:start;padding-left:5rem;}@media only screen and (max-width: 599px){.css-j9qmi7{padding-left:0;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;}}.css-j9qmi7 svg{fill:#27292D;}.css-j9qmi7 .eagfbvw0{-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;color:#27292D;}
Why is mobile the weakest link in today's Zero Trust architecture and how modern threats like silent escalation, runtime tampering, and reverse engineering specifically target the post-installation, runtime environment of mobile apps. With over 33 million mobile cyberattacks recorded globally in 2024, the urgency to act is clear.
Learn about the strategic roadmap for closing this mobile security gap by embedding Zero Trust at the app runtime layer. We discuss how established frameworks such as NIST SP 800-207, the CISA Zero Trust Maturity Model, OWASP MASVS, and the MITRE ATT&CK Mobile Matrix can be adapted to secure mobile applications, focusing on continuous monitoring, verification, and protection.
Key takeaways include:
• The "Never Trust, Always Verify" Principle for Mobile: Every interaction, from the mobile app to backend APIs, must adhere to strict verification protocols, treating all mobile devices as potentially untrusted.
• The Criticality of Runtime Protection: Traditional pre-deployment checks are insufficient as attackers manipulate apps after installation. Continuous monitoring of app integrity and behavior is essential.
• Key Components for Mobile Zero Trust: This includes strong Authentication and Authorization (including MFA), Mobile App Attestation to verify app and device integrity, robust API Security, and Secure Communication (e.g., TLS with certificate pinning).
• Dynamic Secrets Management: Avoid hardcoding secrets. Instead, manage and deliver them dynamically from the cloud, ensuring sensitive data is never exposed client-side.
• Operationalizing Zero Trust Frameworks: Implementing a runtime-centric approach where security decisions are made inside the app, feeding app-level insights into enterprise security operations.
• The Business Impact: Proactive mobile app protection reduces breach risks, streamlines compliance (PSD2, GDPR, HIPAA), accelerates secure product delivery, and builds user trust, demonstrating measurable ROI.
Sponsored by Approov: Approov provides a comprehensive solution for implementing Zero Trust security in mobile applications and their APIs. Their features include Positive App Authentication, Man-in-the-Middle Attack Protection, Dynamic Secrets Management, and Comprehensive Environment Checks to detect compromised devices and malicious instrumentation. Approov ensures that every call to an API from the mobile app is from a genuine, unmodified app running in a safe environment, with policies updated in real-time.
Relevant Links & Resources:
• Approov Mobile Security Knowledge Base: Approov Mobile Security Knowledge Base
• How to Implement Zero Trust for Mobile Apps (Approov): How to Implement Zero Trust for Mobile Apps
• Why Is Zero Trust Not Systematically Applied to Mobile App Security? (Approov): Why is Zero Trust Not Systematically Applied to Mobile App Security?
• Promon SHIELD® for Mobile & More: Products
• A guide to Zero Trust for your mobile apps (Promon): Bringing Zero Trust to mobile applications
• OWASP Zero Trust Architecture Cheat Sheet: OWASP Zero Trust Architecture Cheat Sheet
• OWASP Mobile App Security Verification Standard (MASVS): .css-j9qmi7{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;font-weight:700;margin-bottom:1rem;margin-top:2.8rem;width:100%;-webkit-box-pack:start;-ms-flex-pack:start;-webkit-justify-content:start;justify-content:start;padding-left:5rem;}@media only screen and (max-width: 599px){.css-j9qmi7{padding-left:0;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;}}.css-j9qmi7 svg{fill:#27292D;}.css-j9qmi7 .eagfbvw0{-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;color:#27292D;}
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome along today, we're really getting into something critical in cybersecurity.
How we secure mobile apps and their APIs. It's a
bit of a blind spot sometimes, it really is. So
our goal here is to figure out why, you know,
even with this big push towards zero trust, mobile apps
often get left behind, and more importantly, what you can
(00:20):
actually do about it, especially when the app is up
and running exactly. We've looked at a whole bunch of
expert guides, research technical notes all focused on zero trust
mobile security. The framework's involved.
Speaker 2 (00:31):
Yeah, quite a stack, Okay, so.
Speaker 1 (00:33):
Let's just jump in. Zero trust is everywhere, right, everyone's
talking about it. Why are mobile apps still this unique
and difficult piece of the puzzle.
Speaker 2 (00:42):
It's fascinating, isn't it? Because zero trust itself, that whole
never trust, always verify idea. It's booming. I mean, the
market predictions are huge, going from maybe thirty six point
five billion dollars now to nearly eighty billion dollars by
twenty twenty nine. Wow. Yeah, and you see organizations like
eighty percent of them putting more money into it. Governments
are pushing it too, like that US Executive Order fourteen
(01:03):
zero two and eight. But and this is a big butt.
Consumer Mobile apps often just well forgotten in the grand
zero trust strategy. It's like building this amazing secure building,
but leaving the front door unlocked, and it's.
Speaker 1 (01:17):
The busiest door. I mean, think about it. Over seventy
percent of digital interactions they're happening on mobile apps. Now,
that's how businesses connect with people primarily.
Speaker 2 (01:25):
Yeah, but these.
Speaker 1 (01:26):
Apps they run out there in the world on devices
we don't control, in environments that could be anything. They're
an inherently untrusted unlike our nice corporate.
Speaker 2 (01:35):
Network, completely uncontrolled environment.
Speaker 1 (01:37):
And the attack numbers are just staggering. It was over
thirty three million mobile cyber attacks globally last year. Because
Birskie saw something similar, It's clearly where attackers are focusing.
Speaker 2 (01:48):
It's a massive target. And look, this isn't just some
technical problem for the IT department. Yeah, it hits the
business hard. Oh so well, a breach through a mobile
app that damages customer trust instantly, then you've got regulators GDPR,
CCPA breathing down your neck and it directly hits revenue.
The average data breach cost is already what four point
(02:09):
four to five million dollars goes up to nearly six
million dollars for financial firms, and a mobile breach where
the app itself is manipulated that feels like a direct
attack on the brand right in customer's hand.
Speaker 1 (02:20):
So traditionally security was all about checks before deployment, right
scan the code, review it.
Speaker 2 (02:26):
Static analysis. Yeah, that kind of thing.
Speaker 1 (02:28):
But that's not enough anymore, is it. The game's changed.
Attackers are hitting apps while they're running, after they've.
Speaker 2 (02:33):
Been installed, cisely, that's the shift.
Speaker 1 (02:36):
We're seeing things like silent escalation, apps that seem fine
then turn bad through updates or hidden code.
Speaker 2 (02:44):
YEP, or run time tampering, messing with the app live
to bypass security, or grab data.
Speaker 1 (02:49):
And reverse engineering taking a real app, stuffing malware in
and repackaging it so it looks legit.
Speaker 2 (02:55):
The sources we looked at mentioned of fifty percent jump
and mobile trojans detected an attacker using techniques like dynamic
code loading, basically injecting bad code while the app runs,
specifically to get around those older static checks. Think of
it like airport security. You show your passport at the
check in desk, right right. But that's not the end
of it.
Speaker 1 (03:13):
No, You've got security checks, gate checks, monitoring in the
terminal exactly.
Speaker 2 (03:17):
You need that continuous surveillance throughout the whole journey. Just
passing the first check isn't enough. And for mobile apps
that journey is happening at runtime. That's the real boundary. Now,
that's where you need the constant checks.
Speaker 1 (03:30):
Okay, so runtime is the new trust boundary. That's a
big statement. What does that actually mean for applying zero trust?
Do we throw out the existing frameworks or can we
adapt them?
Speaker 2 (03:42):
Good question. It's definitely about adaptation those established frameworks. They're
still incredibly valuable. We just need to apply them specifically
to the mobile runtime context.
Speaker 1 (03:52):
Okay, like which ones?
Speaker 2 (03:53):
Well, take NIST SP eight hundred two oh seven. That's
sort of the foundational zero trust guide for mobile. Principle
of continuous verification is key. It forces you to keep
checking device health, app integrity, user context, not just once,
but constantly right within the apps operation.
Speaker 1 (04:09):
And what about this CISA's zero trust maturity model.
Speaker 2 (04:12):
That's quite broad, it is, but it's pillars like devices, Applications,
data MAPP directly for mobile. It guides you on assessing
device posture, is it rooted, is it running on an
emulator and importantly detecting that run time tampering. We talked
about making sure the app is still the app it's
supposed to be.
Speaker 1 (04:31):
Makes sense.
Speaker 2 (04:32):
Then there's oapsvs. The Mobile App Security Verification Standard. This
one is mobile specific. It covers design and run time,
and it even has a zero trust overlay now, which
is super helpful. It maps its categories like V one
to the eight directly to zero trust ideas. V eight
is all about run time protection, things like detecting campering,
(04:52):
debugging reverse engineering tools.
Speaker 1 (04:54):
And I saw mention of the ar A Ttenk Mobile
Matrix two. How does that fit in?
Speaker 2 (04:59):
That's more about nderstanding the enemy. It catalogs the actual
tactics attackers use against mobile so you can use it
to build the fences that counter specific, real world threats,
not just theoretical ones, aligning your monitoring to known attack patterns.
So really, these frameworks provide the strategic blueprints. They help
you turn your mobile app from just a piece of
(05:19):
software into something that can actually defend itself a verifiable asset.
Speaker 1 (05:23):
Okay, blueprints are great, but let's talk building materials. How
do we actually operationalize this embed zero trust right into
the mobile app layer right.
Speaker 2 (05:30):
Shifting the security decisions into the app.
Speaker 1 (05:32):
Yeah, So first step seems to be having a single
integrated framework, defining clear security policies for how the app interacts,
how it protects data.
Speaker 2 (05:41):
Consistency is key.
Speaker 1 (05:42):
Then never trust, always verify strong authentication MFA. Yes, but
crucially that runtime, app and device attestation continuously proving the
app and its environment are trustworthy.
Speaker 2 (05:56):
Absolutely vital and ditching the idea of a perimeter. Every
mobile device is potentially hostile territory. Apply the same security
rules everywhere.
Speaker 1 (06:03):
Which leads to continuous runtime monitoring. You mentioned RISP. That's
Runtime Application self protection pronounced RASP. Tell me more about.
Speaker 2 (06:11):
That, Yeah, RASP. Think of it like an immune system
built inside the app. It's constantly watching for threats, malicious scripts,
debugging tools, code injection attends to modify the app, and
it can react in real time block the threat, alert
the back end, maybe even shut the app down safely.
It stops attacks as they happen on the device. Protecting
(06:32):
your APIs from abuse.
Speaker 1 (06:33):
So it's actively fighting back exactly.
Speaker 2 (06:35):
And finally, you have to assume breach. Have your incident
response plan ready for mobile? How do you quickly update policies.
How do you isolate a compromised app or device? How
do you rotate keys if needed?
Speaker 1 (06:46):
Right, plan for the worst.
Speaker 2 (06:48):
Putting all this into practice, the benefits are clear. You
reduce breach risk significantly. Compliance becomes easier PSD two, GDPR,
HPR RO because security is baked in.
Speaker 1 (06:59):
Speeds of development too. Eventually they can.
Speaker 2 (07:01):
Yeah, by making security part of the process, not a
bolt on afterthought, and the biggest win user trust A
secure app experience is non negotiable today.
Speaker 1 (07:10):
Okay, this brings up something I found really interesting in
the materials, this idea of how you do that run
time attestation. There seem to be different philosophies, particularly cloud
based versus device centric trust. Can you elaborate?
Speaker 2 (07:23):
That's a really critical point. Actually, different vendors approach it differently.
For example, Promon their model focus is heavily on protecting
the app itself and making trust decisions inside that protected
app environment on the device using their attestation and asset protection.
Speaker 1 (07:38):
Okay, so the trust decision happens locally on the device,
within the fortified app.
Speaker 2 (07:42):
Essentially, yes. Now, contrast that with approves approach. Their strategy
is explicitly about moving decision making to the cloud.
Speaker 1 (07:50):
How does that work?
Speaker 2 (07:51):
Their SDK goes in your app, but it doesn't store
secrets or make the final trust decision there. Instead, for
every single API call the app wants to make, it
first gets a short lived unique token from the approved
cloud service, and it only gets that token if the
approved cloud verifies remotely that the app is genuine, hasn't
(08:14):
been tampered with, and is running in a safe environment.
The secrets the API keys that are delivered dynamically from
the cloud to the app just in time, and never
stored long term on the client.
Speaker 1 (08:25):
Side, so the verification is external, continuous and secrets aren't sitting.
Speaker 2 (08:29):
On the device precisely. So the question becomes which model
aligns better with that core zero trust principle of never trust,
always verify, especially when the device itself is inherently untrusted.
The sources suggest that the cloud based model like approves,
by centralizing that trust decision off the device and not
relying on the potentially compromised endpoint to vouch for itself,
(08:52):
actually fits more rigorously with the zero trust philosophy. It
minimizes trust in the endpoint itself.
Speaker 1 (08:57):
That makes sense, okay, So implementing all the zero trust stuff,
especially for mobile. It's not a quick fix, is it. It
sounds like a major project.
Speaker 2 (09:04):
Oh, absolutely, it's a journey. We're talking years, typically three
to five years for a mature implementation. It needs dedicated
teams and needs series buying from the top.
Speaker 1 (09:12):
So how does that journey typically unfold? Are there phases? Yeah?
Speaker 2 (09:15):
You can break it down, often aligning with models like Ceasis.
Phase one, maybe the first six months is about getting
the basics right. Know your assets, all of them, including
apps and APIs. Get strong phishing resistant MFA in place,
maybe five O two keys, start replacing VPNs with ZT
and a control privileged.
Speaker 1 (09:32):
Access foundational stuff exactly.
Speaker 2 (09:34):
Phase two, say months six to eighteen, you layer on
more specific zero trust controls, micro segmentation, continuously monitoring device health,
is it jailbroken, got malware? Securing apps and workloads with
things like identity aware proxies.
Speaker 1 (09:49):
Maybe away getting more granular right.
Speaker 2 (09:51):
Phase three months eighteen to thirty six brings in the
advanced stuff, using machine learning for behavior analytics, spotting weird
app activity, automating threat responses, using the data you're collecting
to refine policies and Phase four. Phase four is ongoing.
It's continuous improvement, keep threat intelligence updated, adjust risk scores
based on new data. Track your metrics how fast can
you detect a threat? And t ask can you respond?
(10:13):
And TTR always getting better.
Speaker 1 (10:15):
Along that long road. What are the common tipfalls? What
mistakes do organizations make well?
Speaker 2 (10:21):
Technically? Relying only on network security is a big one
for mobile not monitoring enough as another, making security so
annoying that users just find ways around it. Forgetting about
legacy systems the mobile app might talk to, and organizationally,
lack of executive support is killer. Not training users they
need to understand the why, trying to boil the ocean,
(10:43):
rushing the implementation and getting locked into one vendor's ecosystem
too early without flexibility.
Speaker 1 (10:50):
You mentioned legacy systems. They often connect to mobile apps, right,
how do you handle those in a zero trust world?
They weren't built for it.
Speaker 2 (10:56):
Yeah, that's a tough one. They often have weak spots,
poor authentiction, hard coded network dependencies, no encryption, bad logging.
Speaker 1 (11:04):
So what can you do?
Speaker 2 (11:06):
You often have to use compensating controls, maybe security proxies
or wrappers to act as a modern front end, isolate
them on the network as much as possible, use gateways
for protocol translation, beef up network monitoring around them since
you can't get good telemetry from them, limit their interaction
with the mobile tier.
Speaker 1 (11:22):
Okay, So wrapping things up, what's the core takeaway for
everyone listening, the developers, the security folks, the tech leaders.
Speaker 2 (11:31):
I think the main message is that zero trust can't
stop at the network edge or the user log in.
It absolutely has to extend all the way down into
the mobile app itself, right down to the runtime.
Speaker 1 (11:42):
Environment, because that's where the business happens, where the customer interaction.
Speaker 2 (11:45):
Is Precisely, it demands that continuous verification, dynamic policy enforcement,
and really a strategic mindset shift. It's about turning those
potentially vulnerable mobile apps into assets you can actually trust
because they can defend themselves.
Speaker 1 (12:00):
Maybe the final thought for you to consider is this,
mobile threats are evolving incredibly fast, and our reliance on
apps is only growing. What if truly embracing zero trust
for your entire mobile ecosystem wasn't just about defense. What
if it could actually drive your business forward, building deeper trust,
ensuring compliance, maybe even enabling new kinds of innovation. Something
(12:21):
to think about
Welcome along today, we're really getting into something critical in cybersecurity.
How we secure mobile apps and their APIs. It's a
bit of a blind spot sometimes, it really is. So
our goal here is to figure out why, you know,
even with this big push towards zero trust, mobile apps
often get left behind, and more importantly, what you can
(00:20):
actually do about it, especially when the app is up
and running exactly. We've looked at a whole bunch of
expert guides, research technical notes all focused on zero trust
mobile security. The framework's involved.
Speaker 2 (00:31):
Yeah, quite a stack, Okay, so.
Speaker 1 (00:33):
Let's just jump in. Zero trust is everywhere, right, everyone's
talking about it. Why are mobile apps still this unique
and difficult piece of the puzzle.
Speaker 2 (00:42):
It's fascinating, isn't it? Because zero trust itself, that whole
never trust, always verify idea. It's booming. I mean, the
market predictions are huge, going from maybe thirty six point
five billion dollars now to nearly eighty billion dollars by
twenty twenty nine. Wow. Yeah, and you see organizations like
eighty percent of them putting more money into it. Governments
are pushing it too, like that US Executive Order fourteen
(01:03):
zero two and eight. But and this is a big butt.
Consumer Mobile apps often just well forgotten in the grand
zero trust strategy. It's like building this amazing secure building,
but leaving the front door unlocked, and it's.
Speaker 1 (01:17):
The busiest door. I mean, think about it. Over seventy
percent of digital interactions they're happening on mobile apps. Now,
that's how businesses connect with people primarily.
Speaker 2 (01:25):
Yeah, but these.
Speaker 1 (01:26):
Apps they run out there in the world on devices
we don't control, in environments that could be anything. They're
an inherently untrusted unlike our nice corporate.
Speaker 2 (01:35):
Network, completely uncontrolled environment.
Speaker 1 (01:37):
And the attack numbers are just staggering. It was over
thirty three million mobile cyber attacks globally last year. Because
Birskie saw something similar, It's clearly where attackers are focusing.
Speaker 2 (01:48):
It's a massive target. And look, this isn't just some
technical problem for the IT department. Yeah, it hits the
business hard. Oh so well, a breach through a mobile
app that damages customer trust instantly, then you've got regulators GDPR,
CCPA breathing down your neck and it directly hits revenue.
The average data breach cost is already what four point
(02:09):
four to five million dollars goes up to nearly six
million dollars for financial firms, and a mobile breach where
the app itself is manipulated that feels like a direct
attack on the brand right in customer's hand.
Speaker 1 (02:20):
So traditionally security was all about checks before deployment, right
scan the code, review it.
Speaker 2 (02:26):
Static analysis. Yeah, that kind of thing.
Speaker 1 (02:28):
But that's not enough anymore, is it. The game's changed.
Attackers are hitting apps while they're running, after they've.
Speaker 2 (02:33):
Been installed, cisely, that's the shift.
Speaker 1 (02:36):
We're seeing things like silent escalation, apps that seem fine
then turn bad through updates or hidden code.
Speaker 2 (02:44):
YEP, or run time tampering, messing with the app live
to bypass security, or grab data.
Speaker 1 (02:49):
And reverse engineering taking a real app, stuffing malware in
and repackaging it so it looks legit.
Speaker 2 (02:55):
The sources we looked at mentioned of fifty percent jump
and mobile trojans detected an attacker using techniques like dynamic
code loading, basically injecting bad code while the app runs,
specifically to get around those older static checks. Think of
it like airport security. You show your passport at the
check in desk, right right. But that's not the end
of it.
Speaker 1 (03:13):
No, You've got security checks, gate checks, monitoring in the
terminal exactly.
Speaker 2 (03:17):
You need that continuous surveillance throughout the whole journey. Just
passing the first check isn't enough. And for mobile apps
that journey is happening at runtime. That's the real boundary. Now,
that's where you need the constant checks.
Speaker 1 (03:30):
Okay, so runtime is the new trust boundary. That's a
big statement. What does that actually mean for applying zero trust?
Do we throw out the existing frameworks or can we
adapt them?
Speaker 2 (03:42):
Good question. It's definitely about adaptation those established frameworks. They're
still incredibly valuable. We just need to apply them specifically
to the mobile runtime context.
Speaker 1 (03:52):
Okay, like which ones?
Speaker 2 (03:53):
Well, take NIST SP eight hundred two oh seven. That's
sort of the foundational zero trust guide for mobile. Principle
of continuous verification is key. It forces you to keep
checking device health, app integrity, user context, not just once,
but constantly right within the apps operation.
Speaker 1 (04:09):
And what about this CISA's zero trust maturity model.
Speaker 2 (04:12):
That's quite broad, it is, but it's pillars like devices, Applications,
data MAPP directly for mobile. It guides you on assessing
device posture, is it rooted, is it running on an
emulator and importantly detecting that run time tampering. We talked
about making sure the app is still the app it's
supposed to be.
Speaker 1 (04:31):
Makes sense.
Speaker 2 (04:32):
Then there's oapsvs. The Mobile App Security Verification Standard. This
one is mobile specific. It covers design and run time,
and it even has a zero trust overlay now, which
is super helpful. It maps its categories like V one
to the eight directly to zero trust ideas. V eight
is all about run time protection, things like detecting campering,
(04:52):
debugging reverse engineering tools.
Speaker 1 (04:54):
And I saw mention of the ar A Ttenk Mobile
Matrix two. How does that fit in?
Speaker 2 (04:59):
That's more about nderstanding the enemy. It catalogs the actual
tactics attackers use against mobile so you can use it
to build the fences that counter specific, real world threats,
not just theoretical ones, aligning your monitoring to known attack patterns.
So really, these frameworks provide the strategic blueprints. They help
you turn your mobile app from just a piece of
(05:19):
software into something that can actually defend itself a verifiable asset.
Speaker 1 (05:23):
Okay, blueprints are great, but let's talk building materials. How
do we actually operationalize this embed zero trust right into
the mobile app layer right.
Speaker 2 (05:30):
Shifting the security decisions into the app.
Speaker 1 (05:32):
Yeah, So first step seems to be having a single
integrated framework, defining clear security policies for how the app interacts,
how it protects data.
Speaker 2 (05:41):
Consistency is key.
Speaker 1 (05:42):
Then never trust, always verify strong authentication MFA. Yes, but
crucially that runtime, app and device attestation continuously proving the
app and its environment are trustworthy.
Speaker 2 (05:56):
Absolutely vital and ditching the idea of a perimeter. Every
mobile device is potentially hostile territory. Apply the same security
rules everywhere.
Speaker 1 (06:03):
Which leads to continuous runtime monitoring. You mentioned RISP. That's
Runtime Application self protection pronounced RASP. Tell me more about.
Speaker 2 (06:11):
That, Yeah, RASP. Think of it like an immune system
built inside the app. It's constantly watching for threats, malicious scripts,
debugging tools, code injection attends to modify the app, and
it can react in real time block the threat, alert
the back end, maybe even shut the app down safely.
It stops attacks as they happen on the device. Protecting
(06:32):
your APIs from abuse.
Speaker 1 (06:33):
So it's actively fighting back exactly.
Speaker 2 (06:35):
And finally, you have to assume breach. Have your incident
response plan ready for mobile? How do you quickly update policies.
How do you isolate a compromised app or device? How
do you rotate keys if needed?
Speaker 1 (06:46):
Right, plan for the worst.
Speaker 2 (06:48):
Putting all this into practice, the benefits are clear. You
reduce breach risk significantly. Compliance becomes easier PSD two, GDPR,
HPR RO because security is baked in.
Speaker 1 (06:59):
Speeds of development too. Eventually they can.
Speaker 2 (07:01):
Yeah, by making security part of the process, not a
bolt on afterthought, and the biggest win user trust A
secure app experience is non negotiable today.
Speaker 1 (07:10):
Okay, this brings up something I found really interesting in
the materials, this idea of how you do that run
time attestation. There seem to be different philosophies, particularly cloud
based versus device centric trust. Can you elaborate?
Speaker 2 (07:23):
That's a really critical point. Actually, different vendors approach it differently.
For example, Promon their model focus is heavily on protecting
the app itself and making trust decisions inside that protected
app environment on the device using their attestation and asset protection.
Speaker 1 (07:38):
Okay, so the trust decision happens locally on the device,
within the fortified app.
Speaker 2 (07:42):
Essentially, yes. Now, contrast that with approves approach. Their strategy
is explicitly about moving decision making to the cloud.
Speaker 1 (07:50):
How does that work?
Speaker 2 (07:51):
Their SDK goes in your app, but it doesn't store
secrets or make the final trust decision there. Instead, for
every single API call the app wants to make, it
first gets a short lived unique token from the approved
cloud service, and it only gets that token if the
approved cloud verifies remotely that the app is genuine, hasn't
(08:14):
been tampered with, and is running in a safe environment.
The secrets the API keys that are delivered dynamically from
the cloud to the app just in time, and never
stored long term on the client.
Speaker 1 (08:25):
Side, so the verification is external, continuous and secrets aren't sitting.
Speaker 2 (08:29):
On the device precisely. So the question becomes which model
aligns better with that core zero trust principle of never trust,
always verify, especially when the device itself is inherently untrusted.
The sources suggest that the cloud based model like approves,
by centralizing that trust decision off the device and not
relying on the potentially compromised endpoint to vouch for itself,
(08:52):
actually fits more rigorously with the zero trust philosophy. It
minimizes trust in the endpoint itself.
Speaker 1 (08:57):
That makes sense, okay, So implementing all the zero trust stuff,
especially for mobile. It's not a quick fix, is it. It
sounds like a major project.
Speaker 2 (09:04):
Oh, absolutely, it's a journey. We're talking years, typically three
to five years for a mature implementation. It needs dedicated
teams and needs series buying from the top.
Speaker 1 (09:12):
So how does that journey typically unfold? Are there phases? Yeah?
Speaker 2 (09:15):
You can break it down, often aligning with models like Ceasis.
Phase one, maybe the first six months is about getting
the basics right. Know your assets, all of them, including
apps and APIs. Get strong phishing resistant MFA in place,
maybe five O two keys, start replacing VPNs with ZT
and a control privileged.
Speaker 1 (09:32):
Access foundational stuff exactly.
Speaker 2 (09:34):
Phase two, say months six to eighteen, you layer on
more specific zero trust controls, micro segmentation, continuously monitoring device health,
is it jailbroken, got malware? Securing apps and workloads with
things like identity aware proxies.
Speaker 1 (09:49):
Maybe away getting more granular right.
Speaker 2 (09:51):
Phase three months eighteen to thirty six brings in the
advanced stuff, using machine learning for behavior analytics, spotting weird
app activity, automating threat responses, using the data you're collecting
to refine policies and Phase four. Phase four is ongoing.
It's continuous improvement, keep threat intelligence updated, adjust risk scores
based on new data. Track your metrics how fast can
you detect a threat? And t ask can you respond?
(10:13):
And TTR always getting better.
Speaker 1 (10:15):
Along that long road. What are the common tipfalls? What
mistakes do organizations make well?
Speaker 2 (10:21):
Technically? Relying only on network security is a big one
for mobile not monitoring enough as another, making security so
annoying that users just find ways around it. Forgetting about
legacy systems the mobile app might talk to, and organizationally,
lack of executive support is killer. Not training users they
need to understand the why, trying to boil the ocean,
(10:43):
rushing the implementation and getting locked into one vendor's ecosystem
too early without flexibility.
Speaker 1 (10:50):
You mentioned legacy systems. They often connect to mobile apps, right,
how do you handle those in a zero trust world?
They weren't built for it.
Speaker 2 (10:56):
Yeah, that's a tough one. They often have weak spots,
poor authentiction, hard coded network dependencies, no encryption, bad logging.
Speaker 1 (11:04):
So what can you do?
Speaker 2 (11:06):
You often have to use compensating controls, maybe security proxies
or wrappers to act as a modern front end, isolate
them on the network as much as possible, use gateways
for protocol translation, beef up network monitoring around them since
you can't get good telemetry from them, limit their interaction
with the mobile tier.
Speaker 1 (11:22):
Okay, So wrapping things up, what's the core takeaway for
everyone listening, the developers, the security folks, the tech leaders.
Speaker 2 (11:31):
I think the main message is that zero trust can't
stop at the network edge or the user log in.
It absolutely has to extend all the way down into
the mobile app itself, right down to the runtime.
Speaker 1 (11:42):
Environment, because that's where the business happens, where the customer interaction.
Speaker 2 (11:45):
Is Precisely, it demands that continuous verification, dynamic policy enforcement,
and really a strategic mindset shift. It's about turning those
potentially vulnerable mobile apps into assets you can actually trust
because they can defend themselves.
Speaker 1 (12:00):
Maybe the final thought for you to consider is this,
mobile threats are evolving incredibly fast, and our reliance on
apps is only growing. What if truly embracing zero trust
for your entire mobile ecosystem wasn't just about defense. What
if it could actually drive your business forward, building deeper trust,
ensuring compliance, maybe even enabling new kinds of innovation. Something
(12:21):
to think about
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.