Without a doubt, mobile devices and the apps that go with them have transformed the way employees do their jobs and also entertain themselves while at work. As employees start to bring their own devices (BYOD) to work and with more companies encouraging that, ensuring mobile app security at the workplace is becoming a nightmare.
Mobile devices like smartphones and tablets along with the apps on them are no longer an option. The fact is we are all sucked into this ecosystem and are now dependent on these to function on a daily basis. Small companies and large corporations alike have given their workers the privilege to bring in their own devices to provide the level of flexibility needed in today's work environments.
According to the latest report by App Annie, on average a smartphone user uses close to 10 apps on a daily basis and 30 apps on a monthly basis. But as vital and beloved as all these mobile apps are employees tend to worry less about securing them. The 2013 Norton Report from Symantec found that while nearly half of all smartphone users care enough about their devices to sleep next to them, they don’t protect them.
48% percent of smartphone and tablet users don’t take even basic precautions such as using a device password, much less installing security software to protect against malicious apps.
This is why mobile devices and mobile app security at the workplace is a threat to your enterprise. And this is not just for companies that promote BYOD. Even for companies that are not adopting BYOD, protecting corporate data from malicious and risky apps is critical because it is exceedingly easy for employees to get lost between personal and work profiles on the same device
That’s why it’s so important for organizations to secure their mobile data, regardless of who owns the device.
Example of Breach of Mobile App Security at the Workplace
Let's take the real-life example of a food ordering app called Ritual.
Engadget reported a serious breach of data privacy when employees use Ritual to order food at the workplace. The unique part of Ritual is that it allows for other users to add their own food orders, or "piggyback", onto the order already in place. That way one person can head to the restaurant and bring back all the office's orders at once. Sounds fine, right?
Well, not quite. Twitter user Caitlin Tran (@caitlinsays_) pointed out that people could join any company on Ritual without any sort of verification and see which floor people work on. By default, the app shares the addresses of the user's office premises and which floor they are on along with the first and last names. It also tells where they are heading to pick up their meals
Bad data privacy: On the "social [meal] ordering app" Ritual, you can join any company without email verification and see which office floor users work on at places like @DHSgov, @LockheedMartin, @PalantirTech, and the Pentagon. pic.twitter.com/fZrwPCGJaw
— Caitlin Tran (@caitlinsays_) March 16, 2018
The question to ask here are what can companies and security leaders at enterprises do to discover such security breaches? Often, these apps seem harmless on the outside, but imagine knowing who works where and on which floor. And this is just one simple example.
According to the 2017 AT&T Global State of Cybersecurity survey, 51% of organizations said employee mobile devices were the source of a breach.
Every time a user downloads a new app that is vulnerable or malicious, or they fail to update the apps or the operating system, they are putting the enterprise in danger. Sometimes, users show reasonable caution but even then they may be inadvertently giving away sensitive information, like in the case of the Ritual app.
The DHS’s 2017 Study on Mobile Device Security examines vulnerabilities and risks throughout the mobile ecosystem, and pays considerable attention to apps. As represented in the study’s “Threats via Mobile Apps” illustration (see below), there are multiple ways that malicious apps can exploit mobile devices.
How to Ensure Mobile App Security at the Workplace
The first thing to understand is the numerous risks that are associated with malicious as well as non-malicious apps. Most security leaders are aware of malicious apps with damage-causing intent and usually try having systems in place to catch such apps.
The more dangerous are apps that do not really have a malicious intent but are simply built the wrong way or haven't taken that extra effort to keep their vulnerabilities in check.
Some risks associated with non-malicious apps are:
1. Insecure network connections
2. Files stored with insecure file permissions or in an unprotected location
3. Sensitive information written to a system log
3. Web browser vulnerabilities
4. Vulnerabilities in third-party libraries
5. Cryptographic vulnerabilities, and more.
We always recommend a combination of technical tools along with a commitment to educate users about good security practices. In addition to employing a variety of mobile app security solutions, it is equally important to create employee awareness and training, leverage the power of the crowd by using things like bug bounty programs and overall realize and emphasize internally on the severity of the problem. All this combined with build an approach that offers protection from other internal and external attackers.
Appknox can help you identify a lot of the non-malicious threats that exist in your app ecosystem. Our wide range of partners can help provide all the complementary solutions to ensure we use a combined approach to solve this problem.