Vulnerabilities / Threats // Insider Threats
6/3/2014
08:35 AM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Researchers: Mobile Applications Pose Rapidly Growing Threat To Enterprises

The average user has about 200 apps running on his smartphone -- and they're not all safe, Mojave Networks study says.

More and more end-users are bringing mobile devices to work -- and more and more applications that could threaten the security of enterprise data, according to data released this week.

In a blog posted Monday, researchers at mobile security firm Mojave Networks said that a detailed analysis of mobile applications running under bring-your-own-device (BYOD) programs in large enterprises indicates that the BYOD phenomenon may pose greater risk than most IT departments know.

The study shows that the average mobile device carries about 200 applications, each of which requires an average of nine permissions in order to operate -- permissions such as the user's personal information, address books, or physical location. With so many applications running, and with each application gaining access to so many stores of information, it's difficult for the IT organization to know who's accessing their corporate data, Mojave says.

"When we first come into a customer site, most of them have no idea what apps their users have installed on their devices, or what their risk exposure might be," says Ryan Smith, lead threat engineer at Mojave. "They are accepting a level of risk on their mobile devices that they would never accept on PCs."

Smartphones contain dozens of apps as part of their operating environments, and users typically add dozens more after they've purchased them, Smith tells us. Each of these applications asks for the right to access certain information -- such as a user's name, phone call history, contact list, or geographic location -- that increases the risk of data leakage or active hacks that could compromise enterprise data.

Mobile advertising libraries are a prime example of this potential risk, Smith writes in the blog:

These libraries are large packages of code written by a third party, which the developer includes in their mobile app to help them add standard functionality. In this case, the developer may use the libraries to collect ad revenues, track user statistics, or integrate with social media APIs. There are thousands of such libraries available to mobile app developers, each with varying reputations, and developers will often include their code with little or no review.

As part of its study, Mojave analyzed some 11 million URLs that its customers' mobile devices have linked to over the last year. The researchers found that 65 percent of applications downloaded by business users connect to an ad network, and 40 percent of apps downloaded by business users connect to a social network application programming interface. Nearly 80 percent of mobile applications ask their users to link to a third-party resource, such as an ad network, social media API, or a usage analytics API.

"Some apps have a higher risk than others, but almost all of them carry some risk," says Smith.

Mojave collected the data as part of the buildout of its new application reputation service, which was also rolled out Monday. The service enables enterprises to track the apps running on users' BYOD devices and rank them according to the potential risk they represent to the enterprise.

With the application reputation service, according to Mojave, organizations can dissect and analyze the data being collected, stored, or transmitted from mobile applications, enabling them to discover the potential risk of applications in their organizations and create better policies for blocking or restricting the use of risky apps.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.