A review of mobile application security has revealed that a high percentage of iOS and Android apps in the top 150 apps on enterprise devices have data leakage and privacy invasive behaviors.
According to Appthority’s Q1 2016 Enterprise Mobile Threat Report, popular mobile apps exhibit riskier behavior, including leaking data, tracking private information and the capability to alter device configurations—than apps in the enterprise overall.
“It’s very alarming to find that the 150 most common apps on enterprise devices show high-risk user surveillance behaviors,” said Domingo Guerra, president and co-founder of Appthority. “Every time we analyze the top apps in the enterprise we discover significant threats such as third-party access to calendars, corporate address books and text archives to be prevalent in mobile apps.”
Surveillance data can be used to launch increasingly effective spear phishing attacks, which puts the enterprise at risk of a major breach. Private user data is being accessed and harvested by third parties via apps that track location and access contacts and calendars—oftentimes facilitated by employees who unwittingly click through a new app download as fast as possible or respond to seemingly legitimate requests for meetings or attachment downloads. This information can, of course, be used as reconnaissance.
The report also found that a decent amount of malware is now carried by the Apple App Store. New mobile threats like Quicksand, XCodeGhost, YouMi and MobiSage enable employees to unknowingly download risky applications from the App Store.
“Further, with app stores under no regulatory obligation to inform users of apps that have been removed from the store, these revoked ‘zombie apps’ can live on in enterprise environments, leaving the door wide open for cyber-criminals to leverage vulnerabilities and access sensitive data,” the report noted.
Android however is still riskier to the enterprise, and Android users tend to have more apps per device. And, more than 88% of Android apps on enterprise devices exhibit data leakage behaviors, compared to about 50% for iOS apps.
“Our latest research confirms that iOS malware is now mainstream,” said Guerra. “Though Android apps continue to be more risky to the enterprise, four major breaches in as many months have proven that iOS is no longer immune to mobile malware. Using mobile apps to gather reconnaissance information for enterprise spear phishing purposes is another fear realized.”
Appthority’s findings align with trends identified by independent research firms. Forrester predicts that employee use of mobile apps will surge, doubling in size compared to last year. At the same time, Gartner predicts 75% of mobile security breaches will be traced to mobile apps by 2017.
“Whereas Gartner predicts a 75% rate by 2017, we believe that the trend may have already begun,” said Guerra. “IT underscores the need for every version of every app on every mobile device to be subject to automated app scanning, continuous and dynamic monitoring, and policy controls.”
Photo © leolintang