Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/25/2015
09:05 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Game App Embarrassment Illustrates Bring Your Own Device (BYOD) Risk for Enterprises, According to New Flexera Software/IDC Survey Report

Most enterprises are not testing mobile apps for risky behaviors that could invite hidden, 'back-door' security risk and reputational damage

Itasca, Ill. – March 24, 2015 – When the Kim Kardashian Hollywood game app, which an Environmental Protection Agency (EPA) employee was playing on her mobile work phone, tweeted out to the EPA’s 52,000 Twitter followers without her knowledge, “I’m now a C-List celebrity in Kim Kardashian: Hollywood. Come join me…,” Chief Security Officers everywhere shuddered.  And rightly so.  According to a new report, The BYOD Trojan Horse: Dangerous Mobile App Behaviors & Back-Door Security Risks prepared jointly by Flexera Software and IDC, enterprises are not doing nearly enough to understand which mobile app behaviors hitting their networks and data are risky, nor are they testing apps for those risky behaviors to ensure proper enforcement of their BYOD policies.

 The report provides a sobering wake up call to enterprises, underscoring that BYOD risk doesn’t just arise from malicious hackers and rogue nations.   Threats to data and security are hidden, as in a Trojan horse, in the most innocuous-seeming apps that employees can unwittingly unleash on the enterprise, like a flashlight app that illegally transmits user data to advertisers, or common banking apps capable of capturing device logs, accessing contacts lists, reading SMS messages or even installing packages on the phone.  Among the report’s findings: 

·  Enterprises Are Broadly Adopting BYOD Policies: 48 percent of enterprises have already or are in the process of implementing BYOD policies, and another 23 percent plan on doing so within two years.

·  Data Security Is a Pervasive Challenge: 71 percent of enterprises said data security counts among their biggest challenges when implementing BYOD policies.

·  Blocking Risky Apps Is a Priority: 47 percent of respondents say they’re instituting policies that block risky app behaviors to mitigate mobile app security risks. Another 22 percent plan on doing so within two years.

·  Enterprises Are Failing to Identify Risky App Behaviors: Despite concerns about security and blocking risky apps, most organizations – 61 percent – have not even identified which app behaviors they deem risky (i.e. Ability to access social media apps like Twitter, apps that report back user data to app producer, etc.).

·  Enterprises Are Also Failing to Identify Apps They Deem Risky:  A majority of organizations – 55 percent – have not identified specific mobile apps that exhibit risky behaviors that would violate their BYOD policies.

·  BYOD Policies Are Not Reducing Enterprises’ Security Risks: Only 16 percent of respondents report that their BYOD policies are resulting in lower enterprise application risk.

“BYOD policies are critical to organizations seeking to maximize the value and minimize the risks they encounter by integrating mobile devices and apps within their infrastructures, because these policies define the behaviors that are and are not acceptable,” said Robert Young, Research Manager, End Point Device & IT Service Management and Client Virtualization Software, IDC. “But BYOD policies are inadequate if appropriate enforcement mechanisms are not put into place and followed.”

“Most organizations already have strong processes to test and remediate traditional desktop, virtualized and cloud based applications to make sure they’re safe and reliable.  But as the report indicates, enterprises have not extended these Application Readiness best practices to mobile apps,” said Maureen Polte, Vice President of Product Management at Flexera Software.  “These same processes can and should be extended to mobile apps to ensure that risky app behaviors and apps are identified and appropriate measures are taken to contain those risks.” 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.