David Papp Blog

How to Mitigate Business Risk from Mobile Apps

For any IT department, mobile apps can be a total nightmare. There are millions out there and more are being made every day. Unfortunately many of the apps never were developed with security in mind.

While your IT department may not be working in this area, many IT organizations have tried to counter potential threats from mobile apps through various techniques over the years. Each one has had their own rate of success, but through their efforts, we’ve learned some methods to help with mitigating risks.

First, Block Specific Apps

One analysis from Appthority reveals two blacklists from its enterprise customers. I’ll get into what blacklists are in a bit, but the short version is the following apps I’m listing off present a risk to your security for various reasons.

For Android, they put together a top 10 list that goes as follows:

  • Poot-debug(W100).apk
  • AndroidSystemTheme
  • Where’s My Droid
  • Weather
  • Wild Crocodile
  • Star War
  • ggzzversion
  • Device Alive
  • Boyfriend Tracker
  • Chicken Puzzle

In their analysis, Appthority had a ranking system of 1 to 10, with 1 being the lowest risk. The first eight apps in that list above were scored a 9 mainly due to those apps containing malware. For the last two they were scored 6 due to data issues or privacy concerns.

On the iOS, apps that were blacklisted the most were:

  • WhatsApp Messenger
  • Pokémon GO
  • WinZip Utilities
  • CamScanner Productivity
  • Plex
  • WeChat
  • Facebook Messenger
  • eBay Kleinanzeigen
  • Netease News
  • Device Alive

The seven riskiest apps in that list scored 7. What this means was they were sending text messages or sensitive data without any sort of encryption. Meaning if someone got access to the database of those apps, they could get a lot of information. The other three scored a 6. Those three being Pokémon GO, Plex, and Device Alive. They hit that score due to unauthorized access to address books, and cameras and tracked a user’s location.

If you have any of these apps, it is suggested to take up Appthority’s advice and blacklist these apps and remove them from your devices. That being said, there are a few things to keep in mind as well as other options to consider.

Blacklisting May Not Fully Work

The apps that I’ve listed off are the most commonly blacklisted, but the Appthority list provided a list of 100 apps. Some of them are even riskier than the ones I’ve mentioned.

So why target those apps I’ve listed off? Why not look at the list and blacklist all the other apps?

Well that sort of logic is why blacklisting is an option but not the best one out there. CEO of Shevirah, Georgia Weidman said the idea of “Blacklisting apps has never had much success in stopping breaches in the PC world.”

She went on to say:

“If you blacklist an app, a million more with those same issues will take their place. Taking a set of apps and blacklisting them isn’t going to solve any particular problem.”

What’s more, one enterprise’s risky app is another’s anointed app. Look at WhatsApp which is on the list of bad apps, and yet many organizations used it at launch and still use it heavily to communicate.

In short, it’s impossible to look at every single app and give a definitive yes or no on whether an app has risky behaviour or is a result of sloppy developer work.

So what are some better alternatives to consider and address this issue?

Start With Permissions

Blocking apps will help with your own individual problem for sure, but moving forward, it’s best to look at permissions. Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies stated that:

“Users should avoid installing apps that require too many dangerous permissions. The more permissions an application has, the more risk it presents in the case that it’s hacked.”

I know this means reading terms and agreements, but that’s what you need to do if you want to be prudent about your security. Not only that but being aware of what an app does can give you an idea of what sort of permissions are needed. Take the case of Pokemon GO. It makes sense that it needs to know your location as well as camera if you’ve ever used the app before.

Companies Can Incorporate Corporate Devices

One other big problem that companies face is what is known as shadow IT. Basically it’s the practice of employees downloading apps without the knowledge of the IT department. In most cases it’s productivity apps, but it can present a lot of issues.

How so?

Well even if they are downloading the app and using the app in good faith, employees forget to tell the IT department about the fact they downloaded this app. What’s worse is there is a culture of bring-your-own-device which suggests that an employee has one device for both personal and business use.

Because of this environment, people can inadvertently broaden the surface of an attack on an organization or that individual’s life. Especially when you consider the other elements mentioned above.

One way to mitigate that is by having separate devices for personal and business use. Yes it’s cumbersome, but it could save you a lot of headache when you consider other factors

Consider Whitelisting Apps

One of those factors to consider is having the IT department whitelist particular apps. If you storing credentials or emails on third part devices or apps, you’ll be at risk. If that app or software gets hacked, they will get access to that information and then some.

One way to work around all this is to look at the various email or communication apps and evaluate which is the most common. From there you whitelist the secure apps and configure your servers to decline authentication attempts from any app that’s not on that list.

If you’re using external programs, whitelisting ought to extend to other mobile apps as well. You need to have particular rules when using personal devices for business.

One other approach to look at is to host all the applications on a user’s phone. The idea behind this is that if they want access to corporate resources, they have to go through the hosted apps. You’re basically creating a remote desktop client this way.

Thwart Threats By Using SIEMs

The last method you can use is to use SIEMs to help thwart threats. SIEMs stands for security information and event management. All that they do is the software collects information from many network sources. It’ll then analyze the data to see if there are any existing or potential threats.

Not only that, but they can also generate alerts whenever it runs into suspicious activity so you can get warnings well in advance. The only gotcha with this software is if you want to be taking it to mobile, it’ll need some help. For example, you may need an API in order for an SIEM to even track security issues on mobile devices.

Another example is if you have an enterprise mobility management solution, you can detect malicious activity from mobile apps with SIEMs.

There Will Always Be Mobile Threats

Much like any security system, it’s only good as the person who is using it. Since we’re not perfect beings, there will be times where things will fall through the cracks. The important takeaway though is to look at ways to mitigate the damage mobile apps can do to your business.

Play it smart, consider this advice, and you should be able to mitigate most risk that your business will face.