BYOD Security Alert: Enterprises Are Playing Russian Roulette with Mobile Apps

By Vincent Smyth, Senior Vice President EMEA, Flexera Software

As businesses roll-out their BYOD strategies, most CIOs and CEOs have no idea that many of the mobile apps allowed to touch corporate systems and data engage in risky behaviours that could compromise data security and policy.  This danger was underscored recently when the free iOS Flashlight APP secretly recorded personal user information such as location of phone, details of the owner, etc., and sent it on to advertisers.  

In fact, an alarming percentage of mobile apps being used within the enterprise are able to access sensitive device functions, or otherwise exhibit behaviour that may pose security risks to the organisation and violate its Bring Your Own Device (BYOD) policies.  Without understanding what these apps do and how, organisations are playing Russian roulette with their security.

When are “Harmless” Apps Akin to a Bullet in the Chamber?

Forget hacker threat and malicious software for a moment.  Seemingly harmless, everyday apps that abound on every employee’s mobile device could serve as that unexpected bullet in the chamber.  This is because mobile operating systems include APIs that apps can use to access potentially confidential, proprietary or sensitive data, like contact lists, photos, and calendars.  In addition, apps could access corporate social media accounts accessible on the device as well as built-in hardware features like GPS, camera, audio recorder, etc.  In fact, many apps have undocumented features that could be used for malicious or harmful purposes.

The risk to organisations is high, because most IT teams don’t have the same insight into and control over mobile app behaviors as they do with traditional enterprise software.  So it’s essential that they adopt the same best practices and processes to prepare mobile apps for delivery, as they do with desktop and other applications.  As IT teams begin to analyse mobile apps and start building institutional knowledge around their behavior, they can substantially reduce the Russian roulette effect that mobile apps currently post. 

Arrrrr!* (*Application Readiness Reduces Russian Roulette Risk)

Organisations with mature internal processes adopt Application Readiness best practices, processes and technology to prepare enterprise apps for internal rollout – whether they’re physical, virtual, cloud, desktop or mobile applications. This provides a standardised best practice method for reliably and predictably testing, packaging and deploying apps into the enterprise.

Through Application Readiness automation IT will gain essential insights into mobile app behavior. For instance, application reputation scanning, which examines app properties and configuration, determines the mobile device features that the app uses and will issue a report that can be used to establish policies that define which behaviors are risky. These policies can then be used by the Application Readiness solution to automatically identify risky apps, allowing IT to manage them appropriately. 

Identifying and effectively managing risky mobile apps not only minimises risk but also enhances the user experience. Employees can use authorised apps with confidence, knowing they’ve been thoroughly vetted. And security officers will have greater confidence that danger has been averted by avoiding apps that exhibit risky behaviors, or by eliminating those risky behaviors before they’re allowed access to the corporate network.

Existing Teams Understand Process of Reducing Risk

Read more: Australians will sacrifice privacy for a good app and worry too little about mobile viruses

Many organisations add new teams to deal with mobile apps and app security.  However, existing teams should have all the experience necessary.  IT organisations that already leverage Application Readiness best practices, processes and technology to safely and reliably deploy enterprise apps can extend these same processes for mobile apps.  And in doing so, companies will simultaneously improve operational efficiency and ensure a standardized process for deploying all applications.  Adding mobile apps simply involves extending the familiar process to additional formats, operating systems, and deployment solutions such as mobile device management systems.

For instance, Application Readiness teams have already proven their ability to deal with new formats (application virtualiSation) and new operating systems (Windows 8). The same teams are also likely to be involved with preparing desktop apps for mobile device access via Citrix/RDS. So adding mobile apps that can use a single, standardiSed and consistent Application Readiness process across all enterprise applications, including mobile apps makes sense. Leveraging their knowledge and efficiency translates into greater IT agility and lower cost in maintaining Application Readiness

Even the most innocent mobile apps can pose tremendous risk to organisations unaware of how their design and function can access sensitive data and, potentially, disseminate that data in violation of BYOD policies.  By taking a comprehensive approach to managing the entire enterprise application lifecycle – including mobile apps, organisations can leverage existing staff, expertise and technology to test mobile apps, understand their threat potential, and take appropriate measure.  After all, you’re not really playing Russian roulette if you don’t play with loaded weapons.

Join the CSO newsletter!

Error: Please check your email address.

Tags BYODmobile device management (MDM)application readinessmobile appsBYOD policies

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Vincent Smyth

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place