With apps now numbering in the billions, the saying ‘there’s an app for everything’ has never been more true. But, while that’s great for us, it’s also a serious security threat for business. AQ looks at the dangers apps pose and finds out how smart businesses are mitigating the risk.
If a total stranger came up to you in the street and offered you an application for your phone on condition that you let him take a look at your personal data, contacts and photos you’d likely give him short shrift.
Strange then that we should agree to virtually the same thing every time we download an app and hastily click ‘yes’ to whatever access warning pops up, often without a second thought.
There is a difference though, because while the stranger would likely hand your phone back after a few minutes, unknowingly allowing apps to access your data means you’re allowing access indefinitely, with no real knowledge of who views your data or who it’s passed on to.
While the quick defence is ‘I don’t keep important information on my phone anyway’, that’s just the tip of the iceberg. Your phone can be a conduit to your work network or email, even a corporate spy in your hand.
It may seem like science fiction but, once you’ve invited them in, cyber hackers can potentially activate the super-sensitive microphone, or camera, on your phone to record anything, or even use location services to keep track of where you are.
A more familiar threat from mobile data breaches is phishing. With app developers sometimes selling user information to monetise their apps, seemingly innocuous information could potentially be used to make bogus emails appear more genuine. If they knew exactly where you were, when and who you were with yesterday for instance, it’s then very easy for them to create a highly convincing bogus email that could trick you into following a malicious link or disclosing information.
“While curbing cyber-crime may seem like the domain of the IT department, people across the company are now the first line of defence, so instilling a diligent, consistent and culture, raising awareness of the dangers, while encouraging the right behaviours is key.”
Unsurprising then that, for businesses in particular, this is a very real threat. Even before the explosion of Bring Your Own Device (BYOD), company control over the apps that employees download on their phones varies dramatically.
While some companies have a list of approved apps and restrict what can be downloaded on their devices, research shows that others are less in control. One cyber security firm asked its clients how many apps employees were using across the business and, while the company said 100, the reality was close to 800.
So what are the main risks of apps (legitimate and bogus, personal and work related) to business, and how can you protect yourself and mitigate the risk? Here are some of the threats and some advice on how to avoid them.
Mobile Remote Access Trojans (mRATS)
Typically downloaded from app markets, including Google Play, these bogus apps contain malicious functionality that, once downloaded, allow the attacker to do almost anything on the device.
mRATS and iOS surveillance
These attacks exploit a jailbroken device, which removes all the built-in iOS security mechanisms. They then install surveillance and mRAT software that gives the attacker the ability remotely to gain access to everything stored and flowing through the device.
Fake iOS certificates
Attackers use these to make phone owners believe an app is certified by Apple when it isn’t. Once downloaded, the apps may contain malware that infects a device. Though Apple usually spots these quickly and removes them from the App Store, they won’t remove them from your phone, so it comes down to having a solution that can detect, block and remove apps using stolen or fraudulent certificates.
System exploits – elevated privileges
Again downloaded via apps, these programs exploit vulnerabilities in the phone’s operating system, allowing attackers to take over the phone owner’s privileges and thus gain access to and alter settings and functions, such as cameras and microphones.
As well as accessing sensitive information from the phone itself, attackers could turn on the device’s microphone to listen in on boardroom discussions, forward emails or text messages sent to or from the device, take photos of whiteboard diagrams from meetings, access phone calls and voice mails, and even track that individual’s whereabouts.
Addressing the problem
Mitigating the risk from apps will vary depending on your company, but the approach is likely to involve a mix of cultural elements and technical solutions.
While curbing cyber-crime may seem like the domain of the IT department, people across the company are now the first line of defence, so instilling a diligent, consistent and culture, raising awareness of the dangers, while encouraging the right behaviours is key.
A robust and well publicised security policy as well as use of mobile device management programs is also highly recommended, with some of the best solutions including Airwatch, or Check Point’s three-part Capsule product, which uses 256 bit encryption widely regarded as uncrackable.
Using a solution such as Capsule, Airwatch or other ‘sandboxing’ solution means mobile users can securely access things such as email, web browsers and documents from their corporate network on their personal phone, albeit within a fully secure working environment, which opens in an isolated processing environment on the device, encrypted and entirely separate from all other applications and data on the system. It’s like having a ‘phone within a phone’ – the equivalent of one device for work and one for personal use.
App security: quick tips
- Make sure all devices containing corporate data are encrypted, or use a sandboxed and encrypted area for corporate/sensitive data
- Educate colleagues on what corporate data should or should not be shared with third-party apps
- Monitor the apps in use (and data being accessed) on company networks
- Help employees identify and report risky behaviour and how to spot phishing emails
- Giving employees the productivity tools they need so they don’t feel the need to download alternatives
- Consider a full application and data protection solution (such as Check Point or Airwatch).
Check out app-ic.co.uk for more information