I recently became acquainted with a guy who owns a company that’s successfully selling solutions to harden mobile applications. He walked me through integrations with many global organisations within many industries, notably banking and entertainment apps. The aim of his solution is to fill in exploits from the binary and through the application to render them ‘hacker proof’. His examples included some of our household banking apps that are using his company’s services to protect their apps from unauthorised access, whilst entertainment vendors want to be sure nobody could leverage any exploit to stream video content that they were not entitled to.
Throughout his explanation he kept pushing the concept onto me, but in the back of my mind I couldn’t fathom how this would apply to the people and businesses that I work with as I primarily focus on mobility for the enterprise, including applications that would cater for internal staff rather than worldwide consumers.
‘A third of large companies don’t test their apps at all’
However, during the week I was made aware of a new IBM-sponsored study that looked at the state of mobile security across some of the largest global and Fortune 500 companies that are developing consumer and internal applications through multiple industries and the results were pretty scary.
The Ponemon Institute carried out the study and they state that 40 percent of large companies are doing a bad job or nothing at all to protect their consumer applications, some of which are processing highly sensitive data in industries such as pharmaceutical and finance. It turns out this is a result of 50 percent of these companies setting zero budget for mobile security and therefore they’re only testing half the apps they build - but what I found even more surprising is that 33 percent of these companies don’t test their apps at all.
The BYOD risk
Weak apps are a hacker’s dream and in 2014 alone we saw hackers compromising personal information from one billion users’ phones, largely through unsecure applications. What makes this worse for businesses is if they have adopted a bring your own device (BYOD) policy, they can’t really control what applications are on the end user’s device (and rightly so!) because a BYOD strategy is one where employees are buying the devices to own personally and IT simply plug in corporate content in a secure way (this would be different to a corporate-led strategy where the business owns the device and therefore is able to dictate the content entirely).
In most instances, a hacker would break open an application, inject it with malware and dump it on a shady, third-party app store, leaving Android users particularly vulnerable as they’re able to install applications from untrusted sources, whilst iOS requires a jailbreak before a user can start pulling content from Cydia (an alternative to Apple’s App Store for jailbroken devices).
However as IBM and Ponemon have discovered, there are a whole bunch of apps on the legitimate stores that are wide open to vulnerabilities too. My favourite case study ‘IBM Security Finds Over 60 Percent of Popular Dating Apps Vulnerable to Hackers’ explains that 26 of the top 41 dating apps on Google Play had medium to high security vulnerabilities. While users become more comfortable sharing more and more personal information through bios and messages, it’s important to note that the apps will often have permission to access GPS location (hackers can leverage vulnerabilities to learn where you are, where you’ve been… where you live!), camera and microphone access and mobile wallet/billing information (poor coding leaves credit card details vulnerable).
These reports definitely make it clear why the man I met was so successful with his company – there is a whole lot of vulnerability out there and it’s dangerous to businesses. The problem is IT won’t have any idea how safe these public applications really are, so whilst they’re doing all they can to secure the corporate content on their BYO-Devices, there is a massive risk that some other unmanaged personal application is doubling up as a backdoor into the device and potentially all the corporate data too.
The best way to protect your business? Use a mobile threat management tool to scan for vulnerabilities, app reputation and mobile malware, then create automated rules to quarantine infected or risky devices. If you’re considering a BYOD strategy, mobile security (as most of my meetings have been discussing) should be way up there on your priorities.