They are ubiquitous. Apps, the new short-form word, describes the thousands of software applications designed to run on mobile Android or Apple devices. From kids to corporate CEOs, everyone with mobile technology has come to depend on apps to perform tasks that range from basic to arcane. Given that most are either inexpensive or free, they have been a temptation that is simply too hard to resist.
But all is not well in this Garden of Eden. Security professionals have long fretted over their lack of insight into the source of apps or their sometimes nefarious nature. Social media, a nearby element in the mobile technology spectrum, is also problematic. Last year, for example, a security researcher discovered a vulnerability in Twitter, since repaired, that allowed applications to access users’ direct messages without their knowledge. The vulnerability exploited users who signed in to third-party applications using their Twitter credentials, a common authentication capability offered by many web and mobile apps.
In fact, many apps use Twitter handles or other social media identities for sign-on both on PCs and on mobile devices.
Everyone is worried, or so it seems. According to “Advanced Malware Detection and Prevention Trends,” a report by Enterprise Strategy Group, an IT research, analysis and strategy firm based in Milford, Mass., mobile security monitoring weaknesses and application security concerns are the top concerns of those surveyed. So, just how risky are apps? Symantec’s “Internet Security Threat Report 2014” reported that vulnerabilities discovered within an operating system (OS) are not the main focus of attacks. Rather, it is the top layer of the security stack – the application layer – that is the primary point of risk within a mobile device.
Another comprehensive and exhaustive study of app vulnerabilities comes from the folks at Appthority, which recently released its “App Reputation Report.” Its researchers studied the activities of the top 400 mobile apps – including the top 100 free apps and 100 paid apps for both of the most popular mobile platforms, iOS and Android.
Among other things, the report found that the popular perception that iOS devices are a “safer” choice was not supported when it came to relevant app activity. In fact, Appthority saw consistent risky app behaviors across both platforms. The company also found the top risky app behaviors for both operating systems most often fall into one of two categories: sensitive data being captured and sensitive data being shared. Significantly, it’s not just personal data but also corporate data that may be at risk. In general, the company concluded that free apps are the most problematic, generating the most risky behaviors.
Perhaps not surprisingly, Appthority also found that free apps aren’t really “free” to consumers in that developers often earn compensation by routing user data to third parties, such as advertising networks and analytics companies.
In fact, the authors noted that app developers, in an effort to expand their customer base, often transmit the contacts or even the full address book located on the device. Of course, if a device is connected to a corporate desktop, it could potentially be permitted to sync with contacts from Outlook, many of whom are contacts actually owned by the organization.
In short, mobile apps are the quintessential Pandora’s box, chock full of woes for the unwary.
Jon Oltsik, an analyst with the Enterprise Strategy Group, also sees challenges in the explosive growth of applications used on mobile devices and he says organizations have to formulate responses for both consumer applications and business applications. “We are seeing tremendous growth in mobile-packaged applications and custom application development by enterprise organizations,” says Oltsik. “At the same time, there is an explosion of consumer mobile apps.”
Oltsik says organizations are addressing this growth in several ways. Some segregate devices and networks between consumer and corporate use. “In the best case, nothing from the consumer side ever touches the corporate side,” says Oltsik. They also do things like application reputation checking to assess the riskiness of consumer applications. “Based upon this knowledge, organizations may force users to uninstall applications or disallow their use on the corporate network,” he says.
Overall, the key issue is whether business or consumer applications have or should have access to sensitive data. “This could be contact lists or it could be regulated data,” Oltsik explains. “The first thing you have to do is understand what data the application wants access to.” Once you know this, you can build in controls, like VPNs and data encryption, and then monitor activity to detect anomalous or suspicious behavior, he says.
“Differences in policies and enforcement are a function of business processes, compliance, risk and the value of the data,” he says. “So I may not allow physicians to store personal health care information (PHI) on a mobile device if I’m a hospital, but I may let them look at the data through a browser.” In fact, different industries may take advantage of mobile device capabilities for specific applications and business processes, which can be great for efficiency but often creates unique security challenges.
When it comes to app security, authorization is where a lot of the problems start, according to Tyler Shields, a senior analyst at global research and advisory firm Forrester. When authorization occurs through a common social platform, such as Facebook or Twitter, there is a very clear tradeoff between user experience and security.
“The most secure option would be to have high-strength two-factor authorization that is specific to each property” says Shields. But user experience is horrible when you do that, he adds. Therefore, at some point admins must be willing to centralize and federate identity in exchange for ease of use. “That is what consumers are saying. They don’t want to deal with 20 passwords. They want one, or a password safe that remember them, or they want to use Facebook or Google.”
Companies like McAfee offer personal password managers that aim to provide the convenience of single sign-on but with a lot more security built in, notes Gary Davis, chief consumer security evangelist at security technology company McAfee.
Business is adopting a similar approach by offering enterprise identity, with one log-in that is federated across the enterprise. Forrester’s Shields says federated enterprise sign-on is growing more popular. For example, users can now federate one’s ID into the cloud and let a provider, such as Ping Identity or Okta Identity Management, handle it. Conceptually, notes Shields, this should be even better than consumer-grade federation because it will be designed for situations where there is fiduciary responsibility. However, he adds, “they are going to be better, but they are still a single point of failure.”
Although those corporate approaches could be configured to also include access to popular consumer apps and sites, as a rule, notes Shields, they are reserved for enterprise functions.
Where are the vulnerabilities?
Ken Ammon, chief strategy officer, Xceedium
Gary Davis, chief consumer security evangelist, McAfee
Adam Ely, COO and co-founder, Bluebox Security
Gordon MacKay, executive vice president and chief technology officer, Digital Defense
Jon Oltsik, analyst, Enterprise Strategy Group
Tyler Shields, senior analyst, Forrester
Mike Spanbauer, managing director of research, NSS Labs
The privacy pieces are completely different because they stem more from the client side than the server side, he notes. For example, an app could try to get information from all the sensors on a mobile device – like GPS, RFI and Wi-Fi connection – as well as contacts, calendar information, health and payment capabilities. “An app can then try to send out the information to an advertising group or a library or even a malicious hacking entity. Of course, the builder of the phone or app also may access this information in ways that the user probably didn’t explicitly approve, too,” Shields says.
Or did they? In most cases, Shields says, users mark a check box or two when they acquire an app, indicating their agreement with hundreds or thousands of words comprising terms and conditions. But these end-user license agreements (EULAs) are flawed at their core in Shields’ view. Few users read or understand the EULA. Many simply don’t care. Thus, when a consumer installs an app, they are frequently giving a wide range of permissions. If one is using some kind of geolocation-based app, a ride-sharing app for example, that software may request access to GPS data for a legitimate function, but it may also have an embedded library which may piggy back on the location permission.
“In some cases, the app developers may not even know how this works or what might happen to the data,” says Shields. And there may not be any simple technical fix as long as most users either ignore the “fine print” in the EULA or decide to simply agree.
That may make app vulnerabilities, whether caused by poor engineering or by onerous EULA agreements, a real public policy problem. “I don’t feel developers are incented enough to write secure code because the negative repercussions of unsecure code are minimal,” says Shields. “And for users, a lot of it depends on individual sensitivity to privacy. So, developers don’t feel their code needs to be submarine tight.”
Instead, they prioritize getting to market fast, before someone else gets there.
“I’m afraid better app security might have to come down to litigation or regulation,”says Shields, citing the planned addition of chips to credit cards in the U.S. in order to improve security, which is a government mandate rather than something demanded in the market. In fact, he notes, European countries have already implemented a lot of privacy laws related to mobility, particularly regulating where data can be stored.
For enterprises, the first step is knowing what is there. That is achieved by implementing an inventory of all the apps in the enterprise’s environment, because if the admin doesn’t know what is there they can’t secure it. “However, you need to do this in an automated fashion,” says Shields. “Without that you can’t possibly keep up with the pace of change.”
To that end, he advises admins to inventory every app in their environment. “You may not have to approve them, but you have to know what is there,” he explains. “Once you know, you can build out profiles of acceptable risk for specific apps and for specific user segments.” For example, executives may be allowed to do certain things – or not. Admins, he points out, might not want location data to be available for CEOs. Or perhaps location data for people involved in delivering packages might be deemed too sensitive. Each group will have a risk threshold which must be mapped to the privacy impact of each app. It is typically a complex and time-consuming activity that demands automation.
Fortunately, he notes, there are lots of off-the-shelf offerings, such as a mobile device management (MDM) system, which can provide a good overview of one’s environment. Some can be integrated with reputation systems, such as Veracode and Appthority, so that the application and its risk rating can be contained within the MDM. “If you are going to allow apps into highest risk segments, you will want to do a security assessment, too. For example, a static analysis of the code,” notes Shields.
At this point, he says most organizations lack maturity. Many are just starting to figure out policies on BYOD and MDM, just starting to understand security at the application layer, and just starting to grasp their application count and the types of applications in their environment. Few have done user segmentation and risk threshold assessment. And fewer still have created policies, procedures and full automation. “All that takes time,” Shields says.
An alternative can be to try to simply keep devices out of the organization or sharply limit their use. This can be done, but in most companies with a lot of younger employees this can damage morale and probably lose people, says Shields. Because of that, some enterprises have just given up and gone “open.” But that’s not a good response for the security practitioner. “The answer is to think through the challenges and match the risk threshold to user expectations,” says Shields. “It is a long process and you can’t flip it on in a day.”
The people problem
With so many users and so many devices, a big ingredient of the security challenge is the people involved. “Consumers do not have the same level of security controls and security technology as the enterprise,” says Mike Spanbauer, managing director of research, NSS Labs, a security research and advisory firm with headquarters in Austin, Texas. As a consequence, says Spanbauer, these devices should never be allowed directly on the trusted network. “There is always a risk of compromise to the user when utilizing commercial applications for identity management. Consumers must practice security awareness for their personal safety,” he says.
And complicating the user experience is the issue of email. “There are emails people receive on a mobile device, where they are typically rushed and not careful,” says Gordon MacKay, executive vice president and chief technology officer for Digital Defense (DDI), a San Antonio, Texas-based provider of managed security risk assessment solutions. There is no silver bullet, he points out. Rather, in this scenario users are particularly vulnerable to phishing or instances where people, especially using single sign-on, may inadvertently convey permissions, he says.
McAfee’s Davis recommends trying to engage employees in the effort. For example, says Davis, people often download apps that they never or rarely use. Asking them to reduce their app count or at least reduce those that share a common or “social” sign-on can cut risk significantly. “Some companies are doing this through gamification, where you provide some incentive mechanism for people to participate in identifying less-used apps and eliminating their permissions,” he says.
Adam Ely, COO and co-founder of Bluebox Security, a San Francisco-based mobile solutions firm, says many security teams overlook social media apps because they are personal in nature. “Since there has always been a risk of employees over-sharing information, via email and forums, teams tend to treat this problem as an existing issue and don’t focus on it too much.” However, now, he says a lot of organizations are drifting to social messaging apps for internal communications since they are easier to use, everyone has them and they are outside of the company’s data archiving and monitoring.
Ely, the former CISO at Salesforce, says Bluebox focuses on both of these problems by understanding what people want to use and provides the ability to secure any application in order to protect it from vulnerabilities and protect the company.
Olivier Amar, CEO of MyPermissions, a free app that implements a suite of security tools to help users manage, control and secure their personal information. “Most consumers are not aware of the level of mobile access that apps can leverage off of their mobile device and what they are signing off to when they download a free app to a mobile device,” he says. “They don’t realize that most apps have access to their inbox, photos, other apps on their phone, etc. MyPermissions empowers the user to see what apps have access to and what they will allow them to access.”
Then there are the efforts to make the whole ecosystem more trustable – sort of like the way cars and drivers are licensed in most parts of the world. It may not prevent all problems but it provides a baseline mechanism for imposing order. In that vein, there are industry efforts, such as the FIDO (Fast IDentity Online) Alliance, formed in 2012 to address the lack of interoperability among strong authentication devices, as well as the problems users face with creating and remembering multiple usernames and passwords. The group is working to develop technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
Similarly, MyPermissions has launched its own Trust Certification Program, which requires participating developers to adhere to a set of standards guaranteed to protect users’ personal information. “With the Trust Certification Program, we give developers the ability to provide a safe online environment for consumers when interacting with apps and websites,” says Amar.
However, the fundamental problem is reliance on the consumer to understand how authentication and access works in an open environment and who owns what information. Rogue apps exploit this lack of awareness to bypass a system’s security controls. “Ultimately, it’s the choice of convenience over security by the user,” says Spanbauer at NSS Labs.
“Businesses need to allow the use of personal devices – it is going to happen anyway – but they should do so in a manner that provides for separation of business applications and information from personal applications and information,” he says.
Ely at Bluebox recommends that companies work with employees to understand their needs and adopt the technologies that make them more productive. “Every click, delay and minute in a process counts against productivity,” he says. Furthermore, any app with company data has to be thought of as a business enabler and a potential risk, and the company must determine if the risk is real and acceptable or not. “Let teams use the technology they want and secure it,” he adds. “We have the ability these days to add security to any application so there is no excuse not to embrace employee-driven technology decisions.”
It comes down to distinguishing identities. “The dynamics of cybersecurity have changed and identity is becoming the new perimeter,” says Ken Ammon, chief strategy officer of Xceedium, a Herndon, Va.-based
network security software company that provides privileged identity management solutions for hybrid cloud enterprises. “The idea that there is an inside and an outside to a system has broken down,” he explains. “It is really a mesh of interconnectivity whereby people use mobile devices to access corporate data and go to Facebook.”
Moving forward, Ammon says the underlying effort needs to be to separate identity, authentication and authorization so that users get what they need and what they have a right to – and nothing else. “I am encouraged to see what Apple is doing with payments,” he says, referring to the company’s announcement in Spetember of its new Apple Pay mobile-payment system. “It seems like we are finally moving in the right direction at the consumer level. But the rate of adoption will have to catch up,” he says.