Mobile App Mismanagement

October 20, 2017 Emily Davidson

As mobile device usage intensifies, the number of related security threats thrive at a staggering rate – most of which target iOS and Android devices. The reason is simple: in 2015, users downloaded more than 300 billion iOS and Android apps.

According to the Annual Threat Report on Advanced Targeted Attacks by Mandiant attackers spend an estimated 243 days on a victim’s network before being discovered.

Few users are as vigilant on their phone or tablet as they are with their PC or laptop, since almost no malware targeted mobile apps for many years. Until recently, users did not worry about downloading infected software, and in-house app stores check applications for malware and viruses prior to being released to the public. Today, hackers have discovered all kinds of avenues of attack into the mobile universe.

Once accessed, smartphones offer a treasure trove of personal information: social security numbers, bank information, logins and passwords, pictures of user IDs, bank documents, and confidential business information that are ripe for the picking.

It has never been easier to acquire so much data with a single breach.

Few users read a word of the Terms of Service and simply install the app. In some cases, this means they are handing complete control of their phone to an unknown attacker.

IDC predicts that IT organizations will dedicate at least 25 percent of their software budgets to mobile application development, deployment and management by 2017

Take flashlight apps, for example. By installing one, users handed over access to contacts and pictures, allowed outsiders to modify system settings and receive data from the Internet. Most apps request more access than they need, of course, because they are designed to acquire consumer information.

But it is not just user apps that are at fault. Too many companies exhibit a casual attitude when creating their own apps. The Ponemon Institute recently released a report entitled, The State of Mobile Application Insecurity. Researchers found that on average, businesses test less than half of the mobile apps they build. Thirty-three percent of companies never test apps to ensure they are secure before deployment.

In a BYOD world, therefore, a multi-level security framework is required to separate personal and enterprise data, distribute enterprise apps, keep them updated (in terms of functionality and security) and provide secure web access. Such a framework should also include analytics.

For businesses, there is a growing mountain of unstructured data in endless numbers of repositories at both the device and enterprise level. With that in mind, every app must go through a process of security testing to identify any and all vulnerabilities. Testers should verify that all application data is encrypted. In addition, robust authentication procedures as well as access controls for enterprise systems must be in place. That way, even if a hacker gains entry into one device, it doesn’t provide a pathway to data beyond that individual’s pay grade. Testing must confirm that everything is secure before any app is distributed.

An enterprise-grade security platform must be able to detect anomalies in network and application traffic patterns in their early stages in order to root out encroachments before they develop into a serious breach.

The platform must have the capacity, performance and speed to isolate individual threats within vast oceans of data, countless logs and databases within the enterprise.

The appearance of the Internet of Everything means that connected devices can now access each other. Without secure policies in place, attackers have the ability to access connected cars, appliances, lighting, video surveillance systems and, in some cases, software-controlled industrial machinery.

There is no question that mobile devices pose an unrelenting risk for concerned organizations. However, the answer is simple: IT teams must take a holistic approach to securing devices, mobile productivity applications and the access and fraud concerns that come along with them. Once a device-level policy is in place, IT needs to underpin it with an additional layer of visibility through security intelligence. Only by addressing all of these areas can a company truly deploy a comprehensive mobile strategy and protect the assets and reputation of the enterprise.

A very fast way to configure devices for enterprise access is to employ a fully integrated cloud platform, like IBM’s MaaS360 solution, that is able to start enrolling devices in just a few clicks.

Learn more >>

By 2016, the number of smartphone users worldwide will surpass two billion and the number of mobile downloads per year will eclipse 268 billion.

Previous Article
Six Rules for Safe Schools
Six Rules for Safe Schools

Next Article
Why 2016 will be the Year of Internet Insecurity
Why 2016 will be the Year of Internet Insecurity