Mobile Phone Apps Insecurity
The average enterprise has about 2,400 unsafe apps on the mobile devices in its environment
- The average large global enterprise has about 2,400 unsafe apps on the
mobile devices in its environment, according to a new study from mobile
security vendor Veracode.
- The firm analyzed more than 400,000 of the most popular applications
available in Apple and Google app stores and found that 14,000 of the,
or about 3 percent, have security problems.
- For example, 85 percent of the 14,000 unsafe apps expose sensitive data such as location, contacts, and text messages.
- *And 35 percent access such personal information as browser histories and then send it to suspicious overseas locations. Some go further.
- About 37 percent perform suspicious activities, such as
checking whether a device is rooted or jailbroken, disabling malware,
or running other programs.
- Many users have become complacent because adware and its close cousin,
spyware, have become quite common, especially in popular free
- "When they're free, the user is the product," said Theodora Titonis, VP of mobile at Boston-based Veracode.
- But some applications take this much too far, she said. "When you pull
up a flashlight app, for example, and it's sending considerable amount
of data to locations around the world."
- "We've seen these apps," she said. "We've notified the appropriate parties."
- Meanwhile, these apps are in the stores, and are being downloaded, she
said. But, more importantly for enterprises, they're ending up on
- She provided an example of one app in the database, the Lazy Listen
audiobook app for Android phones, available through the Google Play
store. It's a free Chinese-language app, with between 500,000 and one
million installs, from Shenzen's Oneline Technology Co., Ltd.
- The app has to ability to know when phone calls are coming in, to send
text messages, to record audio, to read the root file system, track the
user's location, check if the device has been rooted, and to get
identifying information about the user, the device and its carrier.
- *"The behavioral analysis shows that this information is not used to improve the customer experience," said Titonis.
- What the information can be used for, is to be transmitted back to the
parent servers and sold as a way of monetising the app -- potentially
sold to unknown and untrusted third-party data brokers.
- Veracode's cloud-based mobile app security application is available
through mobile device management vendors (MDM), such as VMware's AirWatch,
MobileIron and IBM's Fiberlink.
- See also Mobile Device Malware protections in the following Link: http://www.av-test.org/en/antivirus/mobile-devices/
- It allows companies to automatically blacklist apps that fail the security assessment, for example, or even go further.
- "They can alert the user that there's an unsafe app, or limit access to
corporate email, or even wipe a device if the applications poses that
much of a risk to the enterprise," Titonis said.