Some reasons an application was considered unsafe: if it accessed SIM card data such as geolocation, or sent sensitive information for no apparent reason.
Some reasons an application was considered unsafe: if it accessed SIM card data such as geolocation, or sent sensitive information for no apparent reason.

The average large global enterprise has approximately 2,400 unsafe mobile applications installed on employee devices – that is a key finding made by Veracode after analyzing data from its cloud-based platform.

Some reasons an application was considered unsafe is if it accessed SIM card data such as geolocation, or sent sensitive information for no apparent reason, Phil Neray, VP of Enterprise Security Strategy at Veracode, told SCMagazine.com in a Wednesday email correspondence.

Veracode researchers analyzed a pool of about 400,000 applications – installed in multiple global enterprises in various industries, including financial services, media, manufacturing and telecommunications – and identified roughly 14,000 unsafe applications.

Of those, 85 percent expose sensitive device data, including SIM card information such as phone location, call history, phone contacts, SMS message logs, device IDs, and carrier information, according to the findings.

Additionally, 37 percent perform suspicious security actions, such as checking to see if the device is rooted or jailbroken, installing or uninstalling applications, recording phone calls, and running other programs. And 35 percent retrieved or shared sensitive information – such as browser history and calendars – and often sent the data to suspicious overseas locations.

Veracode analyzed a mix of commercial applications from public app stores – such as game, weather and camera apps – and enterprise applications, the vast majority of which came from public app stores, Neray said, adding that the applications are typically downloaded by employees.

“We analyzed both iOS and Android applications,” Neray said. “All the applications reside on employee devices which are managed by the organization's [mobile device management (MDM)] system. These devices are typically a mix of [bring your own device (BYOD)] and enterprise-supplied devices.” 

Neray said that attackers can use unsafe applications to “spy on employees with access to confidential information – by tracking the employee's location, recording their phone calls and developing a profile of their social connections – in order to steal corporate intellectual property or profit from trading on insider information.”

Unsafe applications can also be used to steal banking credentials or insert aggressive adware, as well as by nation states to track high-profile individuals, Neray said. He added that if a device is identified as rooted or jailbroken, a malicious application can be used to perform privileged administrative actions.

“Organizations should be using MDM systems, powered by continuously updated security intelligence, to enforce corporate policies on managed devices,” Neray said, adding that users should only be downloading apps from reputable developers.