We often view our Apple (News - Alert) products as the answer to the consistent barrage of viruses and malicious attacks. Apple isn’t immune, but it at least has a smaller number of threats. We assume the same for our iPhones and that connecting them to a backend server is a safe activity. According to a recent MobileIron blog, this may not be the case.

The mobile device management provider recently responded to a statement from Nordic APIs which suggested that an iPhone (News - Alert) application’s API to its backend doesn’t have the capability to be private. The statement suggests that an iPhone app that connects to the backend server can be used by the individual to reverse engineer the connection. As such, a private API on an iPhone app is just a fantasy.

On the flip side, it is very easy, according to Nordic APIs, to see the network traffic taking place between the server and the mobile app. This is intentional, as third-party developers need to see how the app’s API works. As a result, all seemingly private APIs for a mobile application are really just a thinly veiled public APIs. The company also argues that SSL will do nothing in this situation.

Then again, if the API is handling extremely sensitive data, the worst place for it is in a mobile application.

Fortunately, the vulnerabilities in these APIs do not mean that the enterprise is at risk anytime an employee is using an iPhone. There are ways to prevent the reverse-engineering of the network protocols. The key is in web services APIs, according to MobileIron. When designed correctly, they will authenticate their consumers to ensure trusted entities and legitimate requests. This authentication needs to happen in such a way that it cannot be sniffed by the user.

If SSL isn’t sufficient, client-side SSL can fit the need. In traditional SSL, the client authenticates the server through a protocol handshake. During this step, the server presents the client with a certificate that describes its identity. The client then determines whether or not to trust the certificate. It is meant to ensure that the mechanisms conform to the user and that you are OK with sending confidential personal information to the company.

If the server wants to ensure it’s sending confidential information to a trusted entity, this is where client-side SSL is vital. The same functionality in the handshake is applied; it just goes the opposite direction. Once connected, the server can demand a certificate that validates the identity of the client. If both sides trust each other, they share information.

To ensure unique identity certificates are issued with each instance of the app, you need a robust mobile device management solution that supports a secure mobile application platform. This ensures that the server can identify the client to determine trust. With MobileIron’s AppConnect technology, the IT department can generate and distribute certificates to each app sandbox directly. This approach not only protects the server, but also ensures that users get the full benefit of going mobile.