5 Risks Introduced by Mobile AppsHow to Protect Your Organization from Malware, Other Threats
Editor's Note: This is the second in a series of blogs addressing mobile application security. The first installment addressed areas of focus before developing apps.
See Also: Passwords Alone Aren't Enough
About four years ago, Apple released the first mobile device App Store, and three major players followed: Google Play, Windows Store and Blackberry App World. Additionally, a plethora of secondary application markets exist, all of which combined serve over 1.5 million apps today.
If there is something that can be done from your device, 'there's an app for that' - and a risk.
As a result of these apps, we users have become more dependent on our smart phones and tablets. These devices accompany us virtually everywhere, including at work. In the workplace, executives soon recognized the potential for increased productivity from mobility and started allowing personal devices to connect to corporate networks, including e-mail. This paradigm shift in the way people live and work spawned a flurry of bring-your-own-device and mobile device management design and implementation activities among many organizations.
But in the rush to allow personal devices to be used for work, we in application security neglected to examine thoroughly the new risks external applications may introduce to our organizations.
All of the apps from app stores have one thing in common: If there is something that can be done from your device, "there's an app for that" - and a risk. My smart phone's alarm is the first thing I hear in the morning. Once I shut off the Super Mario Brothers' musical theme, I type in my eight-digit passcode, open one of four weather apps to prepare for the day, check my e-mail to see if there is anything pressing, peruse local news and glance at friends' updates on Facebook. From the time I first hear the Super Mario Brothers' call to meet the day, to checking weather, news, friends' activities and a work update, a mere 45 minutes has elapsed.
Our lives have become more efficient, and portions of it are consumed by mobile devices and what we can do with them. While we enjoy a myriad of efficiencies, we need to think about what having real-time access to everything we think we need means to our businesses. What types of risks do they bring and what do we need to worry about?
Top 5 Risks
Mobile applications have similar threats, vulnerabilities and risks to those posed by typical web and client/server applications. That said, because users have the power and ability to download whatever they wish and manage their devices to their liking, we need to think about these top five risks and how to mitigate them:
- Inherent, Blind Trust - App stores come pre-installed on our mobile devices and provide access to a ton of mobile applications. We blindly trust that the app stores have performed due diligence on the apps in their stores. Yet, in reality, app store vendors lack the cycles to ensure that the apps they make available won't open up our employees/users to risks that can harm the business.
- Functional Risks - Opening, editing, sending, receiving and e-mailing documents; syncing backups; checking in to my current location; etc. - these are a tiny subset of tasks that I can complete with my devices. But what happens if I open a PDF from my business e-mail into a PDF viewer that I downloaded? Suppose I then sync that document to the PDF viewer? At this point, my potentially sensitive document is being managed by someone else's application (probably insecure application and sync storage), and it is completely outside of my control. How about if I check in to my current location via Facebook or Foursquare? Due to the sensitive nature of what I do, some of my clients don't want others to know I am working for them, But if I "check in," the whole world (literally) becomes aware of where I am.
- Malware - Malware has forever been a problem in the IT world, and it is no different in the mobile sphere. Malware can wreak havoc by stealing sensitive data, monitoring traffic, connecting to internal networks and infecting internal machines. And that's just for starters. Malware will continue to evolve in apps from app stores, and attackers will continue to refine their approaches to malfeasance.
- Root Applications - Rooting and jailbreaking are commonplace. Users or attackers run exploits against the mobile operating system to provide them with unfettered access to the file system and allow them to be the "root" user of the operating system. Some users appreciate the freedoms that having root access gives them. Root access also provides a gateway to other app stores, such as Cydia, or the ability to download applications from untrusted sources. The applications running as root deliver functional and malware risks to the business. In some cases, the functional/malware line starts to get fuzzy with the root applications because, typically, the applications provide more functionality than the typical non-root applications provide.
- Inappropriate Applications - Clearly, not all applications are appropriate in the workplace, and I'll leave it to your imagination to classify which ones would be classified as Not Safe For Work.
The number of mobile applications has gone from zero to 1.5 million in a little more than four years, and it will continue to grow in quantum leaps. As the mobile app world continues to evolve, so will the risks. In next month's posting, I will discuss how to address each of these risks and provide specifics on how to thwart them.
Lindner is the global practice manager, mobile application security services, for Aspect Security, a consulting firm based in Maryland that focuses exclusively on application security services and training for a worldwide clientele. He also serves as an OWASP Top Ten Mobile Project contributor and Mobile Testing Guide contributor.