5 riskiest mobile apps


Unsanctioned software and applications running on corporate mobile devices is a security nightmare. These can range from meeting genuine business needs—commonly referred to as Shadow IT—such as efficient, remote communication with colleagues or corporate document management via downloadable messaging and file sharing apps, to using apps for non-work-related lifestyle or entertainment purposes such as socializing, fitness, gaming, and watching sports.

“Unmanaged, personal apps on corporate devices introduce numerous vectors and vulnerabilities for exploitation, including avenues for data exfiltration, cyberattack, surveillance of employee activity from a malicious third party, and so many other things that we see as potential risks to organizations,” Steve Turner, security and risk analyst at Forrester, tells CSO. “These apps aren’t vetted by the organization and can expose employees to a variety of different data, privacy, and other policies that they’ve inadvertently agreed to by downloading and using them.”

The risks posed to businesses by unsolicited apps have intensified since the outbreak of the COVID-19 pandemic and subsequent move to mass remote working, says Kelvin Murray, senior threat researcher at Webroot. “With fewer face-to-face meetings and interactions, employees are looking for new methods to communicate without the formality of an email or Teams call,” he says. “However, with new attack tactics, exploits, and tools emerging through unsolicited apps, mobile devices and apps have never posed as great a threat to organizations as they do now.”

Murray says users tend to disbelieve that cybercriminals will target them, but these apps often request a lot of access to personal information or integration with privileged accounts. “They can be quite effective threat vectors for cunning attackers.”

Popular attacks on mobile devices include remote access Trojans (RATs) and man-in-the-middle (MITM) attacks for accessing user data or eavesdropping, ransomware for restricting access to devices, and fake certificates for side-loading malicious apps, adds Dominic Grunden, CISO at financial service platform Wave Money.

Seemingly genuine and trustworthy apps and app stores can be anything but. For example, Turner alludes to applications posing as one thing and approved onto Apple’s and Google’s walled store gardens that end up being something much more malicious, such as some calculator apps in fact being file transfer mechanisms.

Likewise, it’s not unheard of for trusted app stores such as Google Play to contain apps riddled with malware, points out principal research analyst at the Information Security Forum (ISF), Paul Holland. Even the legitimate TikTok app was caught out last year for capturing copy buffer data from Apple devices when it shouldn’t have been, adds Murray. While the social networking service has since stopped capturing such data, it is an example of the hidden risks potentially posed by such apps if not carefully vetted.

Most concerning of all, new cloud threat research from Netskope discovered that 97% of cloud apps used in the enterprise are unmanaged and often freely adopted. Businesses clearly need to be doing much more to vet which apps employees use on work devices.

So, what unauthorized app types should be highest on a CISO’s risk list and why? Here’s what security experts say.

1. Social media and messaging apps

Probably the most commonly found app types on company-owned devices, social media and messaging apps can cause significant security and privacy headaches for security leaders. “Social media apps have been guilty of tracking what you do across your device, websites you visit, locations you go to, and so much more,” warns Turner. Grunden concurs, citing the likes of Facebook, which is known to have suffered from security holes and vulnerabilities, privacy troubles, and confidential information leaks in the past.

“I also wouldn’t want to see social media apps from outside of the countries that my company is doing business in,” says Turner. “Apps from other countries on a device opens up the doorway/pathway for violating privacy and data retention laws and regulations as they could be potentially utilized for conducting business, malicious insiders exfiltrating data, or malicious actors using the apps to exfiltrate data or compromise a device via a backdoor or zero day.”

Turner notes that some countries require everything to go through the central government. “Is it worth exposing your company’s device to those risks when they don’t even do business in that country?” he asks.

China-based apps are a particular concern for Grunden. “There is not much that needs to be said regarding the inherent security and cyber risk there as apps developed and sourced out of China tend to have backdoors, malicious code, and [they] expose an enterprise’s sensitive data.”

Regarding the security issues surrounding messaging apps, a prevalent issue is that popular services such as WhatsApp, Signal, and Telegram are vendor-hosted, centralized consumer-grade apps. “That means employees’ work-related discussions are sucked onto the app’s servers, leaving the company with no control over how its data is stored or managed and potentially subject to data mining and exfiltration,” says Amandine Le Pape, co-founder of Matrix.org., a not-for-profit open-source project working towards a decentralized IP messaging and VoIP ecosystem for the internet. “Moreover, there’s no formalized moderation and no way to ensure discussion groups are inclusive or contain all relevant parties. Worse, there’s no control around deprovisioning someone who leaves the organization nor auditing, which leads to unaccountable decision-making.”

Security leaders should indeed be concerned if employees are conducting business via consumer- rather than enterprise-grade collaboration and messaging apps, something the UK’s Financial Conduct Authority warned against in January this year.

2. Remote access and cloud storage apps

Amid the migration to mass remote working over the last 18 months, use of remote access and cloud storage applications has grown significantly as organizations and employees have sought out new ways to work securely and efficiently. However, Turner warns of the risks such tools pose to organizations if they find their way onto corporate devices. “I’d never want to find any kind of alternative remote access or cloud storage solution installed on my corporate devices. That just screams data exfiltration,” he tells CSO.

Unwarranted remote access apps can redirect all network traffic on a device to an unknown server/VPN/remote access infrastructure where all company app traffic is now flowing and potentially being collected or analyzed by a third
party. “Whether it’s credentials, authentication tokens, etc., it’s all up for grabs in that scenario,” Turner says.

Likewise, alternative cloud storage solutions can be configured to automatically backup files, photos, and other data on your device to them. “If your job is work with files and photos locally on your device, this is another scenario where data can purposely or inadvertently be stored elsewhere, not protected by your company’s security solutions,” Turner explains. Those same apps can be used by attackers and configured to their own accounts to get a copy of the data you’re working with on your device. “All this exposes organizations to potential compromise and data breach incidents by harvesting credentials, sensitive data being exfiltrated and stored improperly, etc.”

These risks will continue to increase for many reasons if unchecked, says Grunden, including ongoing remote working and the vast utilization of apps like Office 365 or Dropbox to share information within organizations, among partners and with customers.

3. Security tool apps

It is possible, on some Windows 10 machines, to download software from the Microsoft Store without the need for administrator privileges, points out Holland. This creates the risk of installing and using unauthorized, sophisticated security tools that should only be used by those in specialist roles.

Unauthorized users that play with security tools such as Wireshark or Kali Linux may have no idea of the damage they could cause to an organization, says Baird. “While the tools are legal, unauthorized use is not. Users could use the…


Read More:5 riskiest mobile apps