Vulnerabilities / Threats // Insider Threats
6/3/2014
08:35 AM
Tim Wilson
Tim Wilson
Quick Hits
50%
50%

Researchers: Mobile Applications Pose Rapidly Growing Threat To Enterprises

The average user has about 200 apps running on his smartphone -- and they're not all safe, Mojave Networks study says.

More and more end-users are bringing mobile devices to work -- and more and more applications that could threaten the security of enterprise data, according to data released this week.

In a blog posted Monday, researchers at mobile security firm Mojave Networks said that a detailed analysis of mobile applications running under bring-your-own-device (BYOD) programs in large enterprises indicates that the BYOD phenomenon may pose greater risk than most IT departments know.

The study shows that the average mobile device carries about 200 applications, each of which requires an average of nine permissions in order to operate -- permissions such as the user's personal information, address books, or physical location. With so many applications running, and with each application gaining access to so many stores of information, it's difficult for the IT organization to know who's accessing their corporate data, Mojave says.

"When we first come into a customer site, most of them have no idea what apps their users have installed on their devices, or what their risk exposure might be," says Ryan Smith, lead threat engineer at Mojave. "They are accepting a level of risk on their mobile devices that they would never accept on PCs."

Smartphones contain dozens of apps as part of their operating environments, and users typically add dozens more after they've purchased them, Smith tells us. Each of these applications asks for the right to access certain information -- such as a user's name, phone call history, contact list, or geographic location -- that increases the risk of data leakage or active hacks that could compromise enterprise data.

Mobile advertising libraries are a prime example of this potential risk, Smith writes in the blog:

These libraries are large packages of code written by a third party, which the developer includes in their mobile app to help them add standard functionality. In this case, the developer may use the libraries to collect ad revenues, track user statistics, or integrate with social media APIs. There are thousands of such libraries available to mobile app developers, each with varying reputations, and developers will often include their code with little or no review.

As part of its study, Mojave analyzed some 11 million URLs that its customers' mobile devices have linked to over the last year. The researchers found that 65 percent of applications downloaded by business users connect to an ad network, and 40 percent of apps downloaded by business users connect to a social network application programming interface. Nearly 80 percent of mobile applications ask their users to link to a third-party resource, such as an ad network, social media API, or a usage analytics API.

"Some apps have a higher risk than others, but almost all of them carry some risk," says Smith.

Mojave collected the data as part of the buildout of its new application reputation service, which was also rolled out Monday. The service enables enterprises to track the apps running on users' BYOD devices and rank them according to the potential risk they represent to the enterprise.

With the application reputation service, according to Mojave, organizations can dissect and analyze the data being collected, stored, or transmitted from mobile applications, enabling them to discover the potential risk of applications in their organizations and create better policies for blocking or restricting the use of risky apps.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.