This post first appeared on Risk Management Magazine. Read the original article.
For enterprise security teams, mobile has quickly become a top trouble spot. Employees use mobile apps every day to do their work and interact with enterprise data. But many of those apps also provide access for hackers.
How widespread is the threat? Just look at the statistics: A remarkable 87% of companies now expect their employees to use personal devices to do their work, which is largely accomplished through apps. Appthority estimates that almost 80% of apps collect personally identifiable information (PII) and store and transmit data insecurely. As a result, it is not surprising that 94% of IT professionals expect mobile security attacks to become more frequent, while 79% report increased difficulty in securing devices.
The problem is the behavior of the apps themselves. The typical app collects a large amount of data that is not necessary for its function, such as specifics about a user’s physical location or all the contacts stored on a device, including names and titles of employees. Even worse, these apps often offload this data to the cloud. This is dangerous because any information collected by an app—personal information, calendar data, credentials, whatever—can reveal intimate details about the businesses where users work.
For example, a company executive may have access to a wide range of monetizable corporate data, such as employee or customer credit card numbers, personal health information, intellectual property or detailed company financials. By compromising this user’s mobile device, a bad actor can gain access to the company’s most sensitive data and systems. Or that bad actor could go after the CEO’s calendar and location tracking data and discover that the week the CEO was supposed to be attending an industry conference in Cleveland, he was actually in a rehab facility in California. Making information like this public could dramatically impact the stock price of that company.
Such vulnerability calls for a security solution that can protect mobile data. But the challenge of defending data on devices is immense. Malicious apps are a threat, certainly, but they are only part of the problem. Most everyday apps are designed for simplicity and ease of use, not security. The majority of legitimate apps are not built with enterprise security in mind and this results in vulnerabilities that can be and are exploited.
What’s more, the free app model discourages developers from spending time on features like privacy and security. Most do not even write the code for their own apps, relying instead on an ecosystem of software development kits and third-party software libraries. As a result, they may not fully understand what data is being collected and where it is going. Even legitimate apps beloved by corporate users collect a great deal of information and fail to protect it properly.
Consider, for example, the Eavesdropper vulnerability that has impacted almost 700 apps in enterprise environments—apps that have been downloaded hundreds of millions of times. The vulnerability was caused by developers hard-coding their credentials into mobile apps they built that use the Twilio Rest application programming interface or software development kit. Attackers can easily extract the credentials from the source code of the apps and gain access to conversations and SMS messages sent by that app via Twilio, a cloud platform that enables third-party apps to make and receive phone calls and SMS messages.
In addition to flaws like Eavesdropper, there is the problem of app stores. Apple and Google do a good job of protecting users against overt malware, but they cannot and do not try to achieve enterprise-grade mobile security for two important reasons. First, enterprise-grade security is too strict for most consumers. Second, enterprises have security, privacy, data usage, and often compliance and regulation policies that are unique to each enterprise. As a result, there simply are no common, enterprise-grade security and privacy requirements that can be applied to all public mobile apps.
This all boils down to a massive blind spot around mobile apps. The bad guys understand this and are targeting apps because apps present a path of low resistance. How severe is the problem? Anecdotally, at one professional services firm, 3% of the apps in their environment were flagged as high-risk for data leakage. At a large government customer, investigators found at least 40 malware apps and more than 800 apps with a connection to servers in high-risk countries like China and Russia. At a major financial services firm, 2,500 apps were sending PII to remote servers, including location, address book, calendar and device ID information.
How can you reduce mobile vulnerabilities? The first step is to create a company-wide policy for managing mobile use. You need to compile an app inventory for devices running in the workplace, then come up with a policy that governs what data employees can access and what they do with it. Can they send mobile data abroad? Can they use apps that store data in the cloud? Creating and enforcing a mobile-focused policy are critical.
Next, you should be educating employees about the risks of the apps they download. Users have a direct impact on the overall security posture of your organization because they are the ones deciding which apps to install and why. It is in your best interest to empower users by arming them with the tools and training to make better decisions about apps they download. One tool, for instance, allows employees to investigate apps before they install them to make sure they are secure and will not put data at risk.
In essence, you can help employees be safer and more productive by making them part of the solution. Some organizations have even opted to share this kind of risk-assessment data through all business units and reward those teams with the best mobile hygiene. The idea is to motivate all business units to crack down on risky apps and change behavior for the better.
The mobile threat is only going to increase. The more connected our apps are to our lives and work, the more data they collect and the more effective they are as an attack vector. It is therefore imperative to include mobile defense as part of your overall security strategy to protect your employees—and your company—from this growing danger.