Vulnerabilities / Threats // Insider Threats
6/3/2014
08:35 AM
Tim Wilson
Tim Wilson
Quick Hits
50%
50%

Researchers: Mobile Applications Pose Rapidly Growing Threat To Enterprises

The average user has about 200 apps running on his smartphone -- and they're not all safe, Mojave Networks study says.

More and more end-users are bringing mobile devices to work -- and more and more applications that could threaten the security of enterprise data, according to data released this week.

In a blog posted Monday, researchers at mobile security firm Mojave Networks said that a detailed analysis of mobile applications running under bring-your-own-device (BYOD) programs in large enterprises indicates that the BYOD phenomenon may pose greater risk than most IT departments know.

The study shows that the average mobile device carries about 200 applications, each of which requires an average of nine permissions in order to operate -- permissions such as the user's personal information, address books, or physical location. With so many applications running, and with each application gaining access to so many stores of information, it's difficult for the IT organization to know who's accessing their corporate data, Mojave says.

"When we first come into a customer site, most of them have no idea what apps their users have installed on their devices, or what their risk exposure might be," says Ryan Smith, lead threat engineer at Mojave. "They are accepting a level of risk on their mobile devices that they would never accept on PCs."

Smartphones contain dozens of apps as part of their operating environments, and users typically add dozens more after they've purchased them, Smith tells us. Each of these applications asks for the right to access certain information -- such as a user's name, phone call history, contact list, or geographic location -- that increases the risk of data leakage or active hacks that could compromise enterprise data.

Mobile advertising libraries are a prime example of this potential risk, Smith writes in the blog:

These libraries are large packages of code written by a third party, which the developer includes in their mobile app to help them add standard functionality. In this case, the developer may use the libraries to collect ad revenues, track user statistics, or integrate with social media APIs. There are thousands of such libraries available to mobile app developers, each with varying reputations, and developers will often include their code with little or no review.

As part of its study, Mojave analyzed some 11 million URLs that its customers' mobile devices have linked to over the last year. The researchers found that 65 percent of applications downloaded by business users connect to an ad network, and 40 percent of apps downloaded by business users connect to a social network application programming interface. Nearly 80 percent of mobile applications ask their users to link to a third-party resource, such as an ad network, social media API, or a usage analytics API.

"Some apps have a higher risk than others, but almost all of them carry some risk," says Smith.

Mojave collected the data as part of the buildout of its new application reputation service, which was also rolled out Monday. The service enables enterprises to track the apps running on users' BYOD devices and rank them according to the potential risk they represent to the enterprise.

With the application reputation service, according to Mojave, organizations can dissect and analyze the data being collected, stored, or transmitted from mobile applications, enabling them to discover the potential risk of applications in their organizations and create better policies for blocking or restricting the use of risky apps.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4774
Published: 2015-05-25
Cross-site request forgery (CSRF) vulnerability in the login page in IBM License Metric Tool 9 before 9.1.0.2 and Endpoint Manager for Software Use Analysis 9 before 9.1.0.2 allows remote attackers to hijack the authentication of arbitrary users via vectors involving a FRAME element.

CVE-2014-4778
Published: 2015-05-25
IBM License Metric Tool 9 before 9.1.0.2 and Endpoint Manager for Software Use Analysis 9 before 9.1.0.2 do not send an X-Frame-Options HTTP header in response to requests for the login page, which allows remote attackers to conduct clickjacking attacks via vectors involving a FRAME element.

CVE-2014-6190
Published: 2015-05-25
The log viewer in IBM Workload Deployer 3.1 before 3.1.0.7 allows remote attackers to obtain sensitive information via a direct request for the URL of a log document.

CVE-2014-6192
Published: 2015-05-25
Cross-site scripting (XSS) vulnerability in IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before 6.0.4.5 iFix10, 6.0.5 before 6.0.5.6, and 6.0.5.5a before 6.0.5.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-8146
Published: 2015-05-25
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (hea...

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.