Mobile apps that exhibit malicious or undesirable behavior are out there looking for victims.
In December 2018, Google deleted 22 apps from their app store – apps that appeared to contain malware. In January 2019, they deleted a further 28 apps that exhibited undesirable behavior.
Consumers often download apps on blind faith and are consequently particularly vulnerable. And, to be honest, so are business users. Just because a user has a company phone, or uses their own phone for work, does not mean they are immune to the risks associated with using mobile apps. Too many of us simply do not give the level of consideration we should to security, with apps from reputable companies often trusted implicitly.
Individual users, and companies, will pay a high price for this trust.
Businesses understand that the risk of unauthorized access to company data escalates as more users, and more devices, get remote access to company systems. The greater the number of points of access, the greater the vulnerability. Companies understand how to manage risk across the laptop and corporate computing environment, and cybersecurity strategies that comprehensively manage this risk are well established.
However, on company – or personal – phones, cyber-security and risk management policies are often less well thought out. We often do not know how safe an app is, or what risk it presents.
Mobile Device Management (MDM) solutions on a ‘work phone’ go a long way to securing a business’s mobile infrastructure. But we need a way to identify which apps – and what data – present a threat. This is where Mobile Application Management, working stand-alone or together with MDM, can protect sensitive corporate data more effectively .
It’s not what it does, it’s what it can take.
Although we may be aware that an app can exhibit undesirable behavior we often do not consider – or completely understand – how an app can use data. All applications that coexist on a device that contains corporate data should be evaluated for risk, and the data on that device protected. All too often, there are no checks into the data that apps can access or what they use it for. We take for granted that data is used appropriately, that systems are secure, and that data won’t be lost. However, these things are often not audited. Sadly, people – and companies – often become aware of the importance of mobile data security only after a data breach.
Unauthorized access to valuable company information, including customer data, gained via a mobile app is likely to have a high impact. It comes with the risk of financial penalties and incurred costs and – of most concern – the potential for reputational damage. Regulation, including the General Data Protection Regulation (GDPR) penalizes both unauthorized handling and loss of personal data with high fines – such is the importance of protecting sensitive data.
This is not a theoretical risk. In recent years there have been actual breaches.
Consider an airline app used to book online or download a boarding pass. An employee might use the app to access wi-fi in an airport or amend a flight booking while travelling. They probably wouldn’t give a second thought to using the airline’s app. Yet by the time they’ve sat down to a cup of coffee, their – and their company’s – highly sensitive data could have been compromised. It’s happened twice in recent years, and in both cases it was the app of well-known airlines that were responsible for data breaches that impacted thousands of people.
The real threat to data
We invariably under-rate the scale of the threat and the value of the data on our devices. After-all, it is only natural consider physical or property security above data security. In 2017, there were (only) 116,540 cases of burglary in Germany. Yet in a similar period, 50% of internet users in Germany became a victim of cybercrime. Everyone worries about their home being vulnerable when they leave it. But do we give the same consideration to the risk of data theft?
Significant security risks arise from a lack of awareness of app security, but levels of understanding of those risks and their consequences are too low. Raising awareness among employees is therefore the critical first step. The question then becomes, how do individuals and businesses protect themselves?
Simply asking, “Can I trust this app?” before each download is insufficient; because we only answer this based on the things we think we understand, without detailed analysis.
Securing enterprise mobility platforms
To help mitigate the risks that downloads can pose to personal and professional data requires solutions such as APPVISORY’s Mobile Application Management . A comprehensive, fully automated solution that carries out risk analyses for public and internal company apps. It works in conjunction with Avira’s Anti-malware solutions to scan all applications and data to establish whether they present a security risk (Application Reputation Management). APPVISORY’s solutions allow companies to enforce their individual IT guidelines. It also helps businesses comply with the European General Data Protection Regulation on their mobile devices.
Partnering with Avira allows APPVISORY to focus on building a complete solution that delivers:
- Static and dynamic application security testing, including the identification of malware
- Detailed scanning of applications and updates including third party libraries, server connections and data access
- Semi-automated expert analysis by experienced app security analysts.
Apps that fail APPVISORY’s security checks are removed from devices and the corporate network by the MDM system. Decisions can take into account the organization’s individual compliance policies.
By partnering with the right experts, companies can manage and secure the mobile workplace with automatic solutions that point out risks and alternatives in real time. It’s what we all want in our business: a mobile professional life in which dangers are excluded systematically and secure alternatives for insecure apps are provided.
A free demo of the APPVISORY solution is available.