With the rise of remote work and shadow IT, more devices and apps (both sanctioned and unsanctioned) are connecting to your organization’s network. Today, there are approximately five million mobile apps currently in circulation: approximately three million for Android and two million for iOS.
That’s great for productivity, but less than ideal when it comes to security. Despite the best efforts of curated app stores, a significant portion of mobile applications contain worrying security concerns.
Indeed, research from Bitsight shines a light on the alarming state of mobile security:
- Three out of four mobile applications evaluated contained at least one moderate vulnerability
- Material and severe vulnerabilities were observed in highly popular apps. And very few were remediated once in production. Indeed, remediation rates were low given the criticality of these vulnerabilities.
- Android shopping apps, which transmit personal identifying information (PII) and other sensitive financial details, performed poorly in TLS Certificate Validation for Sensitive Data.
- GPS Data Leakage, a significant security and privacy issue, was a problem across a variety of sectors and mobile app genres—including aerospace and defense.
For these reasons, it is critical that you understand the risks associated with mobile applications created in-house and those published by third parties.
But what risks do mobile apps present and how can you get ahead of these threats? Let’s take a look.
Top security threats posed by mobile applications
1. Malicious actors
Tampering with application code is a common tactic used by hackers. Yet, 84% of apps lack the ability to detect if malicious code (malware) has been injected into their source code.
Malware can infect any device that runs the app and steal personal and business information. It can also spread laterally across the network and infect other devices and apps.
2. Insecure connections between the app and server
Insecure connections between a mobile app and a server can lead to data leakage as well as man in the middle attacks. Security measures, such as encryption, can prevent hackers from accessing or modifying data in transit and should be a foundation of any BYOD security policy.
3. Credential theft
Mobile devices and smartphones represent a person's digital identity. Hackers can access passwords, password managers, social and financial accounts, and more. If stolen or breached, they represent a massive risk both to the user’s privacy and identity. But there’s also a business impact. One stolen credential is all it takes to gain access to your organization's network and infrastructure.
4. Cloned apps
Cloned apps – fake versions of legitimate applications – are a growing threat. Some of the most commonly cloned apps are business apps, including Skype (28%) and Adobe Reader (18%), among others. Once downloaded and installed, these apps launch malware and phishing attacks that make it easy for hackers to circumvent traditional security tools and extract personal information, move laterally across the corporate network, and more.
5. IP theft
Theft of intellectual property (IP) (patents, copyrights, source codes, algorithms, etc.) is a growing area of cybercrime. If your organization develops its own mobile business applications, be sure to implement multiple layers of security into the code to protect against hacking techniques such as reverse engineering (the process of obtaining sensitive information or altering source code).
6. Unpatched vulnerabilities
Cybercriminals can easily exploit vulnerabilities due to unpatched security bugs left in mobile apps, especially those with complex code. And many go unaddressed.
In late 2022, multiple unpatched vulnerabilities were discovered in three Android apps that allow a smartphone to be used as a remote keyboard and mouse to execute arbitrary commands to exfiltrate sensitive information. In another incident, application security flaws affecting Android smartphones that could give attackers access to a user's device and data remained unpatched months after manufacturers reported them.
How to ensure mobile application protection
When evaluating mobile application security, you must consider your own apps as well as those published by third parties. This means enforcing security standards as an essential part of your mobile app development and release cycles.
If you develop mobile apps in-house: Mobile app security evaluations should not be treated as the last step of the development and/or release process, but as recurring functionality milestones. All apps—not just a select few—should be included in the security evaluation process. Additionally, mobile applications should be evaluated on an ongoing basis.
If you use third-party mobile apps: Always evaluate any mobile app before subscribing, downloading, or installing it on your organization’s mobile devices. Use a third-party risk management tool to measure and continuously monitor third-party security controls to align with your risk tolerance and organizational objectives.
Continuously monitor for vulnerabilities
In addition to addressing mobile application security during the development and third-party mobile app onboarding process, it’s critical to incorporate mobile application protection into your vulnerability monitoring and management program.
But increased remote work means that security teams lose visibility into the devices and apps accessing the network. So, how can you secure what you cannot see?
As the attack surface expands to include smart devices, mobile apps, and shadow IT, you need continuous visibility into every asset that comprises your digital ecosystem. Only then can you discover, prioritize, and control hidden risks. Below are three ways to achieve this:
- Visualize the attack surface: Bitsight Attack Surface Analytics provides dashboard-based visibility into hidden digital assets on the network and helps visualize areas of highest risk exposure, such as potentially unprotected or infected mobile applications and devices. Using this insight, you can assess the risk of each instance and either bring it in line with corporate security policies or remediate it.
- Monitor your digital ecosystem continuously: Continuously monitor your digital ecosystem for emerging risks and receive alerts when security postures of connected systems and devices change.
- Monitor third-party software vendors: Verify what data third-party apps have access to on a regular basis, and monitor the security performance of your digital vendors to ensure they maintain security controls in accordance with contract requirements.
Other tips for mobile application protection include:
- Monitor network traffic for potential security threats that may arise from connected mobile applications and shadow IT. This is particularly important for protecting against vulnerabilities introduced by personal mobile devices that might be used on a work network.
- Educate employees on basic application security hygiene such as avoiding downloading mobile apps from inauthentic application providers or companies, being on the lookout for suspicious behavior such as phishing emails or requests for credentials, and the importance of multi-factor or biometric authentication.
- Create a smart device security policy that is comprehensive, flexible, and non-restrictive, in order to help users better understand your security and privacy standards.
The office is now anywhere and everywhere, and mobile applications are at the heart of employee productivity. That requires a significant amount of education and due diligence to ensure your organization is well protected.
To learn more about Bitsight’s findings into the state of mobile application security and how you can reduce risk to your organization, employees, and customers, download our Mobile Application Risk Report.