The mobile app risk

Share this article:

The mobile application landscape is exploding. Currently, the average smartphone user has 22 apps installed and by 2012 some estimate that 50 billion apps will be downloaded each year, according to mobile security company Lookout, citing statistics from Nielsen and Chetan Sharma Consulting. This growing landscape has many questioning the privacy and security risks of mobile apps.

“We are starting to see greater interest from malicious parties in the mobile platform and one of the biggest [threat] vectors is mobile apps,” said John Hering, CEO of Lookout.

A number of apps have been discovered to either purposely or accidentally harvest user data. Most recently, Citigroup discovered its iPhone mobile banking application, unbeknownst to users, saved confidential account information in a hidden file on their devices.

“In a world where mobile app development is exploding so quickly, even apps you think you can trust may be leaking sensitive information,” Hering said.

According to Lookout data, 14 percent of free apps for Apple's iPhone have the ability to access a user's contact data as can eight percent of free apps for Google's Android. Additionally, 33 percent of free iPhone apps can access a user's location, while 29 percent on Android can.

While all apps that access contact data or location are not necessarily malicious, some enterprises might not want this information broadcast, Hering said.

For enterprises and developers, awareness of the problem is important, says Hering. Developers have a responsibility to ensure their app is providing the appropriate level of privacy and security. Enterprises need to educate end-users to pay attention to app ratings and what apps have access to. A simple game probably does not need to access a user's phone book, for example.

Meanwhile, not everyone believes mobile apps pose a significant threat right now.

“The jury is out in terms of how bad this could be for enterprises,” said Andrew Jaquith Forrester senior analyst. “At the moment, I don't perceive a lot of risk. The kinds of things [rogue apps] can do include rooting through your address book and looking through your music collection. This is, frankly, not that big of a deal. We are going to have to see some demonstration of real harm before enterprises will really have to get worked up about this.”
According to Jaquith, any organization supporting the iPhone should follow a few best practices, such as requiring email session encryption, wiping devices if they are lost or stolen, protecting devices with a passcode lock, and auto locking devices after periods of inactivity.
Share this article:

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.