Just as they did on the desktop, applications on mobile devices are becoming more prevalent, more useful and more necessary to making the smartphones and tablets the go-to workhorses for an increasing number of corporate employees.
But as these applications get better and more pervasive, they are also becoming more of threat vector for attacks – not only because of their ubiquity, but because of the sensitive information they hold. According to an HPE study, “Mobile Application Security Report 2016,” the potential threat to privacy and reputation is very real from applications that often collect unnecessary data. In 2015's Ashley Madison breach, for example, the company's storage of geolocation data allowed a reporter to pinpoint the location of otherwise anonymous users.
“Mobile applications have had a steady rise in risk for companies, and that's mainly due to the shift from desktop browsing to mobile applicationss,” says Ryan O'Leary, vice president of the Threat Research Center and technical support for WhiteHat Security, a Santa Clara, Calif.-based web application security firm. “More and more of the everyday online tasks people do are being shifted to mobile application. As more people move to mobile applications to conduct transactions, the greater the risk is to the companies that deploy these.”
In addition, O'Leary points out that mobile applications are native apps, meaning they're downloaded and run on the phone. If a security issue is found, the company often must make changes to the application code. “This requires users to update their application or it will continue to be vulnerable,” he adds. “It is in the hands of the user to remember to update applications regularly.”
Michael Taylor (right), applications and product development lead for Rook Security, a computer security services firm based in Indianapolis, agrees that mobile applications have become a more attractive target in the past year due to their ubiquity, their increased utility and their advancing system capabilities (including RAM, CPU and storage). As a result, he says that the increasing size of the mobile app ecosystem has caused its own series of problems. “Many apps with vulnerabilities, excessive device access requirements and malicious updates have been released that can expose the end-user to remote access tools, remote monitoring and data exfiltration,” he says.
Indeed, Gregory Leonard, senior application security consultant for Optiv, an information security company based in Denver, points up the sheer number of mobile applications combined with the growing prevalence of the bring-your-own-device (BYOD) movement making mobile applications a more appealing target. “IT network security teams are challenged by the mobile space because IT policy cannot completely control access to a mobile device like they could with desktop or laptop computers,” Leonard says. As an example, he points to the Stagefright bug, which enables attackers to send a specially crafted MMS to a device and perform remote code execution and privilege escalation, typically without requiring any user actions.
But perhaps the most pernicious issue is that of how more mobile applications demand a high degree of access and control over a user's system and their data in order to even be downloaded. “A key issue here is that most are not aware of the sheer amount of information captured by mobile applications, such as contacts, calendars, geolocations, photos, attachments and more.,” says Brian Stafford, CEO of Diligent, a New York-based firm that provides secure collaboration for boards and leadership teams. “This needs to change.”