Vulnerabilities / Threats // Insider Threats
08:35 AM
Tim Wilson
Tim Wilson
Quick Hits

Researchers: Mobile Applications Pose Rapidly Growing Threat To Enterprises

The average user has about 200 apps running on his smartphone -- and they're not all safe, Mojave Networks study says.

More and more end-users are bringing mobile devices to work -- and more and more applications that could threaten the security of enterprise data, according to data released this week.

In a blog posted Monday, researchers at mobile security firm Mojave Networks said that a detailed analysis of mobile applications running under bring-your-own-device (BYOD) programs in large enterprises indicates that the BYOD phenomenon may pose greater risk than most IT departments know.

The study shows that the average mobile device carries about 200 applications, each of which requires an average of nine permissions in order to operate -- permissions such as the user's personal information, address books, or physical location. With so many applications running, and with each application gaining access to so many stores of information, it's difficult for the IT organization to know who's accessing their corporate data, Mojave says.

"When we first come into a customer site, most of them have no idea what apps their users have installed on their devices, or what their risk exposure might be," says Ryan Smith, lead threat engineer at Mojave. "They are accepting a level of risk on their mobile devices that they would never accept on PCs."

Smartphones contain dozens of apps as part of their operating environments, and users typically add dozens more after they've purchased them, Smith tells us. Each of these applications asks for the right to access certain information -- such as a user's name, phone call history, contact list, or geographic location -- that increases the risk of data leakage or active hacks that could compromise enterprise data.

Mobile advertising libraries are a prime example of this potential risk, Smith writes in the blog:

These libraries are large packages of code written by a third party, which the developer includes in their mobile app to help them add standard functionality. In this case, the developer may use the libraries to collect ad revenues, track user statistics, or integrate with social media APIs. There are thousands of such libraries available to mobile app developers, each with varying reputations, and developers will often include their code with little or no review.

As part of its study, Mojave analyzed some 11 million URLs that its customers' mobile devices have linked to over the last year. The researchers found that 65 percent of applications downloaded by business users connect to an ad network, and 40 percent of apps downloaded by business users connect to a social network application programming interface. Nearly 80 percent of mobile applications ask their users to link to a third-party resource, such as an ad network, social media API, or a usage analytics API.

"Some apps have a higher risk than others, but almost all of them carry some risk," says Smith.

Mojave collected the data as part of the buildout of its new application reputation service, which was also rolled out Monday. The service enables enterprises to track the apps running on users' BYOD devices and rank them according to the potential risk they represent to the enterprise.

With the application reputation service, according to Mojave, organizations can dissect and analyze the data being collected, stored, or transmitted from mobile applications, enabling them to discover the potential risk of applications in their organizations and create better policies for blocking or restricting the use of risky apps.

Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.