The rise of the App Economy and Bring Your Own Device has meant an uncontrolled explosion of apps inside the enterprise.
IT departments often know nothing of the apps, have little opportunity or access to test them and therefore cannot do a valid risk assessment. For many companies, the risk of losing data or getting hacked is greater from insecure mobile apps than is it from external hackers.
US company Veracode has now released some analytics from its cloud-based platform around the mobile applications that have been submitted to it for testing.
According to its own tests, over 14,000 applications were deemed unsafe and when Veracode looked deeper into who had submitted them, it came up with the conclusion that over large enterprises have approximately 2,400 unsafe applications in their environment.
Veracode has released some detail around the types of risk it has detected:
- 85 per cent expose sensitive device data, including SIM card information such as phone location, call history, phone contacts, SMS message logs, device IDs and carrier information.
- 37 per cent perform suspicious security actions, such as checking to see if the device is rooted or jailbroken (which allows applications to perform superuser actions such as recording conversations, disabling anti-malware, replacing firmware or viewing cached credentials such as banking passwords); installing or uninstalling applications; recording phone calls; or running other programs.
- 35 per cent retrieve or share personal information about the user such as browser history and calendars, often sending sensitive information to suspicious overseas locations and allowing attackers to develop a complete profile of users and their social connections.
Veracode were unable to share the raw data so that we could validate the various risks. However, they did provide us with the following statement about how they obtained details of the applications and their methodology:
"We analysed a pool of 400,000 applications installed on employee devices in multiple global enterprises. The applications we analysed were from both iOS and Android devices managed by the organisation’s MDM system.
"The applications were commercially available from public app stores (such as game, weather and camera apps) as well as specific enterprise applications, although the vast majority are from the former. Specifically, we used the following methodology:
- "The MDM systems sent a list of installed apps to the Veracode platform, and the apps were then analysed using our platform. These are applications that were actually installed on managed mobile devices in the enterprises. This is unlike other approaches that only examine the top apps available in public app stores.
- "The applications were analysed using our static and behavioural analysis technology. This identified risky behaviours and capabilities in the applications, compared them to risk profiles for hundreds of thousands of mobile applications that have previously been analysed using the Veracode platform, and assigned them a risk score based on a machine learning algorithm. The 14,000 “dangerous/unsafe apps” metric comes from this risk score."
Of all three numbers above, the most worrying is the number of jailbroken devices that are entering enterprises. This is not just an Android problem. Apple users have been hit by a number of malware attacks on jailbroken devices recently.
There is also plenty of evidence from security companies that such devices are an easy route to installing malware onto devices and from there, into the enterprise.
Surprisingly, there were no Microsoft applications submitted for checking which suggests that it is still failing badly to establish itself in the enterprise mobile device arena.
Another issue here is the failure of platform providers, especially those with social media platforms, who refuse to tighten up the controls on access to personal data by third-party app providers.
Despite calls for what is known as "basic information" to be more heavily restricted and users to have the ability to further restrict what access apps can have, platform vendors are concerned that this would reduce their attractiveness to advertisers and app developers.
So far, governments have chosen not to try and control the app market for fear of job losses and stifling innovation.
This survey shows that it is now time for regulators to take a closer look even if it is only to provide users with greater privacy and protection of their data.