But all is not well in this Garden of Eden. Security professionals have long fretted over their lack of insight into the source of apps or their sometimes nefarious nature. Social media, a nearby element in the mobile technology spectrum, is also problematic. Last year, for example, a security researcher discovered a vulnerability in Twitter, since repaired, that allowed applications to access users' direct messages without their knowledge. The vulnerability exploited users who signed in to third-party applications using their Twitter credentials, a common authentication capability offered by many web and mobile apps.
In fact, many apps use Twitter handles or other social media identities for sign-on both on PCs and on mobile devices.
Everyone is worried, or so it seems. According to “Advanced Malware Detection and Prevention Trends,” a report by Enterprise Strategy Group, an IT research, analysis and strategy firm based in Milford, Mass., mobile security monitoring weaknesses and application security concerns are the top concerns of those surveyed. So, just how risky are apps? Symantec's “Internet Security Threat Report 2014” reported that vulnerabilities discovered within an operating system (OS) are not the main focus of attacks. Rather, it is the top layer of the security stack – the application layer – that is the primary point of risk within a mobile device.
Another comprehensive and exhaustive study of app vulnerabilities comes from the folks at Appthority, which recently released its “App Reputation Report.” Its researchers studied the activities of the top 400 mobile apps – including the top 100 free apps and 100 paid apps for both of the most popular mobile platforms, iOS and Android.
Among other things, the report found that the popular perception that iOS devices are a “safer” choice was not supported when it came to relevant app activity. In fact, Appthority saw consistent risky app behaviors across both platforms. The company also found the top risky app behaviors for both operating systems most often fall into one of two categories: sensitive data being captured and sensitive data being shared. Significantly, it's not just personal data but also corporate data that may be at risk. In general, the company concluded that free apps are the most problematic, generating the most risky behaviors.
Perhaps not surprisingly, Appthority also found that free apps aren't really “free” to consumers in that developers often earn compensation by routing user data to third parties, such as advertising networks and analytics companies.
In fact, the authors noted that app developers, in an effort to expand their customer base, often transmit the contacts or even the full address book located on the device. Of course, if a device is connected to a corporate desktop, it could potentially be permitted to sync with contacts from Outlook, many of whom are contacts actually owned by the organization.
In short, mobile apps are the quintessential Pandora's box, chock full of woes for the unwary.
Jon Oltsik, an analyst with the Enterprise Strategy Group, also sees challenges in the explosive growth of applications used on mobile devices and he says organizations have to formulate responses for both consumer applications and business applications. “We are seeing tremendous growth in mobile-packaged applications and custom application development by enterprise organizations,” says Oltsik. “At the same time, there is an explosion of consumer mobile apps.”
Oltsik says organizations are addressing this growth in several ways. Some segregate devices and networks between consumer and corporate use. “In the best case, nothing from the consumer side ever touches the corporate side,” says Oltsik. They also do things like application reputation checking to assess the riskiness of consumer applications. “Based upon this knowledge, organizations may force users to uninstall applications or disallow their use on the corporate network,” he says.
Overall, the key issue is whether business or consumer applications have or should have access to sensitive data. “This could be contact lists or it could be regulated data,” Oltsik explains. “The first thing you have to do is understand what data the application wants access to.” Once you know this, you can build in controls, like VPNs and data encryption, and then monitor activity to detect anomalous or suspicious behavior, he says.
“Differences in policies and enforcement are a function of business processes, compliance, risk and the value of the data,” he says. “So I may not allow physicians to store personal health care information (PHI) on a mobile device if I'm a hospital, but I may let them look at the data through a browser.” In fact, different industries may take advantage of mobile device capabilities for specific applications and business processes, which can be great for efficiency but often creates unique security challenges.