Just as they did on the desktop, applications on mobile devices are becoming more prevalent, more useful and more necessary to making the smartphones and tablets the go-to workhorses for an increasing number of corporate employees.
But as these applications get better and more pervasive, they are also becoming more of threat vector for attacks – not only because of their ubiquity, but because of the sensitive information they hold. According to an HPE study, “Mobile Application Security Report 2016,” the potential threat to privacy and reputation is very real from applications that often collect unnecessary data. In 2015's Ashley Madison breach, for example, the company's storage of geolocation data allowed a reporter to pinpoint the location of otherwise anonymous users.
“Mobile applications have had a steady rise in risk for companies, and that's mainly due to the shift from desktop browsing to mobile applicationss,” says Ryan O'Leary, vice president of the Threat Research Center and technical support for WhiteHat Security, a Santa Clara, Calif.-based web application security firm. “More and more of the everyday online tasks people do are being shifted to mobile application. As more people move to mobile applications to conduct transactions, the greater the risk is to the companies that deploy these.”
In addition, O'Leary points out that mobile applications are native apps, meaning they're downloaded and run on the phone. If a security issue is found, the company often must make changes to the application code. “This requires users to update their application or it will continue to be vulnerable,” he adds. “It is in the hands of the user to remember to update applications regularly.”
Michael Taylor (right), applications and product development lead for Rook Security, a computer security services firm based in Indianapolis, agrees that mobile applications have become a more attractive target in the past year due to their ubiquity, their increased utility and their advancing system capabilities (including RAM, CPU and storage). As a result, he says that the increasing size of the mobile app ecosystem has caused its own series of problems. “Many apps with vulnerabilities, excessive device access requirements and malicious updates have been released that can expose the end-user to remote access tools, remote monitoring and data exfiltration,” he says.
Indeed, Gregory Leonard, senior application security consultant for Optiv, an information security company based in Denver, points up the sheer number of mobile applications combined with the growing prevalence of the bring-your-own-device (BYOD) movement making mobile applications a more appealing target. “IT network security teams are challenged by the mobile space because IT policy cannot completely control access to a mobile device like they could with desktop or laptop computers,” Leonard says. As an example, he points to the Stagefright bug, which enables attackers to send a specially crafted MMS to a device and perform remote code execution and privilege escalation, typically without requiring any user actions.
But perhaps the most pernicious issue is that of how more mobile applications demand a high degree of access and control over a user's system and their data in order to even be downloaded. “A key issue here is that most are not aware of the sheer amount of information captured by mobile applications, such as contacts, calendars, geolocations, photos, attachments and more.,” says Brian Stafford, CEO of Diligent, a New York-based firm that provides secure collaboration for boards and leadership teams. “This needs to change.”
Stephen Gates, chief research intelligence analyst for NSFOCUS, a Santa Clara, Calif.-based provider of enterprise-level network security solutions and services, agrees that the demand for permissions employed by most mobile applications has gotten out of control. “You start looking at the permissions required by an application on the Google Play store and it wants to look at your contacts, location, modify or delete the contents of your SIM card…Why in the world would any application need to have all this access?” he asks.
And, with so many mobile users unblinkingly agreeing to give mobile apps this broad access, a new door has opened wider to the emergence of “imposter applications,” created by hackers to spoof legitimate and popular mobile applications to gain a foothold through mobile devices. John Michelsen (left), chief product officer at Zimperium, a San Francisco-based company that offers enterprise-class protection for mobile devices, says that initially, when Pokemon Go was only available in a few countries, users began going to third-party app stores to download the popular game application. “Hackers caught wind of this and created imposter apps loaded with spyware, remote access trojans and bots that gave cybercriminals complete control over users' mobile devices,” Michelsen says, adding that more imposter apps duped shoppers at Foot Locker, Dillard's, Nordstrom and Christian Dior this past holiday season.
Challenges of securing mobile apps
WhiteHat Security's O'Leary points out that even company-issued mobile devices can have inherent security risks depending on how they are deployed. “Users are much less likely to care about the security of their work phone than that of their personal phone,” he says. He suggests that a mobile user is more apt to set up their personal phone with better passwords, lock screens that require authentication to unlock, and employ the use of two-factor authentication. On the other hand, O'Leary says, many mobile users see a work phone as something one has to have, so users often ignore basic security practices. “And users are often reluctant to have anything installed on their personal phone that mandates security, or is seen as a ‘big brother' practice. It's then up to the user to make sure they're following good security practices.”
But with BYOD becoming more widely embraced in all sectors – as a means of reducing costs and demands on IT – mobile application management and security become trickier. “Employees don't expect personal privacy when operating a company-owned computer, so surveillance-style security solutions meet little resistance from users,” Zimperium's Michelsen says. “But when employees bring their own mobile devices to work, monitoring web searches, messaging content and other application activity becomes a major violation of privacy.” Hence, he says enterprises cannot duplicate their existing endpoint security processes for mobile.
The major issue here is that most companies implement BYOD policies without having compliant and secure programs in place for all of their employees and members of the organization, says Stafford of Diligent. “It is the responsibility of the business to make sure they are aware of the applications their employees are using in order to come up with a security solution and procedure in advance.”
John Labelle (left), senior security consultant at Optiv, believes that much as they do with web applications, “organizations should assume that the client side of mobile applications is not completely secure. Attackers will always be able to look into and alter functionality, even for binaries or obfuscated code.” Leonard, also at Optiv, points out that another hurdle with mobile application security is that “it takes to long to deliver security fixes to devices.” Some manufacturers do a good job of providing regular updates to a majority of their devices, while others have to deal with a much more complicated delivery process, where an update to a device has to wait on security patch development from the operating system development team, the device manufacturer and the specific cellular carrier on which the device is running, Leonard adds.
“Also, mobile applications can be easily downloaded and reverse engineered by attackers, giving them a better understanding of how an app works and how it possibly can be exploited,” Leonard (right) adds. “This gives them a significant advantage over a traditional web application, where the application code is stored on a server which would need to be compromised before the application could be inspected.”
An added complication is that mobile applications are often outsourced to third-party developers who have expertise in mobile application development, O'Leary points out. “These third-party developers often care more about getting it done quickly than building good security practices in,” he adds. “We've seen some pretty egregious vulnerabilities in recent mobile applications.” For instance, O'Leary says one mobile application asked for an email and password to register; if the email already existed as a user, it would simply update that user with the new password. “Effectively, I could update anyone's password and login as them if I knew their email,” he adds.
When an organization is developing its own mobile applications, they should follow a secure development lifecycle with all the normal steps of threat modeling, security architecture, security testing, training and the rest, says Jeff Williams, co-founder and chief technology officer of Contrast Security, a Los Altos, Calif.-based application security firm. He adds that internal developers should consider the OWASP Mobile Security Top Ten project as a good starting point for specific risks. And when it comes to externally developed mobile applications, Williams says companies should be very careful to select those that have a strong security story about how their code is built, secured and tested. “They should use mobile device management (MDM) and mobile application management (MAM) solutions to control risks to their enterprise from those applications.”
For his part, O'Leary believes more companies need to make their mobile applications part of their risk assessment and standard vulnerability identification program. “These apps could have serious vulnerabilities that would completely devastate a company,” he adds. “Getting a good third-party security assessment on your mobile applications is a must.” O'Leary also suggests that organizations have a specific plan in place to fix these mobile vulnerabilities as soon as they are detected. “Once it's released and a vulnerability is found, your user base is vulnerable until all of them update their application,” he points out.
But even when it comes to established security approaches, it seems harder to strike a balance between making users safer and making it harder for them to manage their own applications. Optiv's Labelle is seeing more companies use anti-jailbreaking trapping and source obfuscation tools. “This isn't going to have the desired effect, which is improved security,” he says. “Making an application harder to use or understand does not always make it more secure.” People who may want to help – consultants or researchers, for example – can be locked out of the process of improving security if the application becomes too unwieldy for anyone but those familiar with it, he says.
“Basically, when you raise the bar so much that good guys can't access your app, the only ones left looking are the bad guys,” Labelle adds.