Flexera Software report reveals that popular shopping apps, including Amazon, Disney Store and eBay can access iOS devices’ contacts, calendar, location and social networking apps
Flexera Software, the leading provider of next-generation software licensing, compliance, security and installation solutions for application producers and enterprises, released a new enterprise Application Readiness report detailing potential risks to enterprises whose employees use popular Apple iOS apps (downloadable from the public App Store) to conduct holiday shopping on company-issued or “Bring Your Own Device” (BYOD) phones.
The report found, among other things, that of the 26 popular Apple iOS shopping apps tested:
- 92 percent – all except for Banana Republic and Trunk Club – are capable of accessing an Apple iOS device’s GPS location tracking service.
- 69 percent, including Amazon, Disney Store, eBay, Groupon, Macy’s, Nordstrom, REI, Shutterfly, Starbucks and Target, are capable of accessing an Apple iOS device’s social media apps.
- 65 percent, including Amazon, Best Buy, Disney Store, eBay, Macy’s, REI, Starbucks, Target and Walmart are able to gain access to an iOS device’s address book.
- 58 percent, including Amazon, eBay, Etsy, Groupon, Macy’s, Nordstrom, Shutterfly and Walmart are able to gain access to the iOS device’s SMS messaging features.
The ability of employee-downloaded apps to access sensitive corporate data and device functions could present a potential risk to enterprises and violate their BYOD policies. Examples of these risks are playing out in the headlines, including the instance of a popular flashlight app that transmitted user locations and device identifiers to ad networks; or a mobile device game app that, unbeknownst to a Federal employee playing it, tweeted out an embarrassing message to the EPA’s 52,000 Twitter followers (the organisation’s Twitter account, not the employee’s, was tied to the device).
To compile the report, Flexera Software identified 26 popular shopping apps, representing a small sampling of the thousands of shopping apps that can be found in the Apple App Store and that could easily be downloaded by employees to a corporate-issued or BYOD device. These apps were tested using AdminStudio Mobile, an Application Readiness solution that helps organisations identify, manage, track and report on mobile apps, simplify mobile application management, reduce mobile app risk and address the rapidly growing demand for mobile apps in the enterprise.
“Most organisations have standardised Application Readiness processes to test enterprise apps for potential deployment problems and risks, but when it comes to understanding and testing mobile apps, we’re still in ‘the wild west.’ IT Operations teams largely do not understand what mobile apps do and what functionality and data they can access – and this makes it extremely difficult to create and enforce effective BYOD policies,” said Maureen Polte, Vice President of Product Management at Flexera Software. “If employees are using corporate or BYOD devices for holiday shopping, it’s critical that IT Operations and security professionals understand which apps employees are using, what features, functions and data those apps can access – and whether that use is in compliance with the organisation’s BYOD policy.”
[su_box title=”About Flexera Software” style=”noise” box_color=”#336588″]Flexera Software helps application producers and enterprises increase application usage and security, enhancing the value they derive from their software. Our software licensing, compliance, cybersecurity and installation solutions are essential to ensure continuous licensing compliance, optimised software investments, and to future-proof businesses against the risks and costs of constantly changing technology. A marketplace leader for more than 25 years, 80,000+ customers turn to Flexera Software as a trusted and neutral source of knowledge and expertise, and for the automation and intelligence designed into our products.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.