The increasing use of mobile devices in the workplace brings significantly heightened risk of loss of personal data, loss of company and customer data, and disruption of an organization’s ability to function. But while many IT security professionals are largely focused on combating malware, there’s good evidence that the greater threat to organizations comes from another source altogether – leaky apps.
We recently examined 100 popular apps in a variety of categories, testing them for man-in-the-middle and SSL attack vulnerabilities, for whether they store passwords and other sensitive data in their memory, and for other common security concerns. Our study found that 60% of the apps surveyed received a “High” risk rating in one or more categories. These apps are not traditionally considered dangerous or risky; even their creators were unaware of the vulnerabilities built in to their apps.
Apps are a booming business, and in the rush to compete with other app developers, security testing often takes a backseat to speed-to-market. With consumers largely unaware of the security issues any app might present – and without a watchdog body to help make them more aware – app developers are under no real pressure to make sure their products are secure before release.
The danger is that one unsecured app on a single user’s phone can act as a gateway to data breaches that could expose your company’s financial information and other sensitive materials. In traditional workplace environments, you can prevent employees from installing software without permission – for example, on company-owned laptops and PCs. But in a BYOD environment, IT professionals often have little control over what apps employees install on their personal devices — devices they also use for work, even if just to check email on the weekends. It’s key to remember that whatever information your company’s employees can access from their tablet or smart phone is also potentially accessible to attackers. Ignoring the dangers leaky apps represent means exposing your company to loss of data, loss of customer trust, and ultimately loss of revenue.
The good news is that there are steps you can take to protect your business by proactively assuming a defensive posture. This means building security from the ground up by transforming your employees from potential security risks into your first line of defense — educating them on how to transform a bring-your-own-device environment into a bring-your-own-security workplace.
But the real key is visibility. Mobile devices and apps should be proactively monitored to make sure they are updated with the latest operating systems and versions. You need to know how sensitive information is being stored and accessed, and where it is being sent. You need to be able look for patterns of behavior and anomalies that may indicate suspicious activity.
Allowing employees to utilize mobile devices in the workplace can provide greater flexibility, increased productivity and better employee morale. But IT professionals need to know the threats associated with leaky apps and take proactive steps to mitigate those risks.
Andrew Hoog, CEO and Co-Founder, viaForensics
Bio: Andrew Hoog is a computer scientist, mobile security researcher and co-founder of viaForensics, a mobile security company. Hoog has two patents pending and is the author of two books on mobile forensics and security. When not breaking (or fixing) things, he enjoys great wine, science fiction, running and tinkering with geeky gadgets.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.