Apple has confirmed that 17 applications have been removed from the App Store after they were found to be secretly committing fraud behind users’ backs to quietly collect advertising revenue from their smartphones.
Apple has confirmed that 17 applications have been removed from the App Store after they were found to be secretly committing fraud behind users’ backs to quietly collect advertising revenue from their smartphones.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
There is a big issue for most organisations who allow employees to download whatever apps they want. For those on corporate devices, there is an option to route web traffic through the corporate gateways or to have other MDM (Mobile Device Management) solutions to limit the downloads to authorised apps only. However, many organisations don’t do this – or they enable personal devices used to access corporate data, e.g. email, and there is then little or no control.
Good security requires multiple layers – and it’s not just about technology. There is an education and awareness which needs to be given to all employees as to the risks and consequences of various types of behaviour and this includes downloading applications. Employees must know to be wary of, when an application has been downloaded, granting it access to things like ‘contacts’ which will contain corporate contacts. After education, there needs to be appropriate policies and processes in place, and standard policies, such as ‘acceptable use’, need to include downloading of apps onto devices which have access to corporate data – covering both corporate owned as well as personal devices. Finally there is technology, this is there to be able to enforce policies and keep people safe. If it doesn’t block the downloading of unauthorised apps, there should at least be the ability to audit what is on the device so there is a risk profile, and if one is deemed to be malicious it can be deleted, either manually or automatically (whichever is more preferable).
Unfortunately, there is an increasing need to understand that a legitimate app may no longer be ‘good’. Code signing and even submissions to app stores have been shown to be compromised. This makes it tough to draw the line between good and bad. Furthermore, a ‘good’ app might be found to have a vulnerability which then makes it a ‘bad’ one. As per applications on laptops etc., there is a need to be able to update the apps in a timely manner should this be the case.
Analysis with further analysis is needed by app stores to ensure their apps are not malware. But this still may not be enough. Sophisticated cyber-criminals are developing more and more ways to utilise the app store as a threat vector and work around protective measures that are in place. Constant vigilance as to how apps are being developed to compromise the end user, whether it is through fraud or information theft is required with retrospective analysis on all apps when a new vector is discovered. This will be both time consuming and costly, but will be essential if trust is not to be lost – and law suits are not to increase.