Mobile App Security For Your Remote Workforce

With the world being forced into lock-down due to the ongoing pandemic, work from home has become a necessity for almost all companies. There is a sudden surge in demand for mobile and desktop apps that facilitate the work-from-home module such as video conferencing apps like Zoom, and project collaboration apps like Slack and Trello.

 

 

Average Weekly Spent in Mobile Apps

 

The average weekly time spent worldwide in apps and games on Android phones grew 20% year-over-year in Q1 2020. (Source: App Annie)

Unfortunately, in the digital realm, anything popular draws the attention of hackers. The more customers an app has, the more the hacker has to gain. Sudden spikes in mobile app traffic have led to an emergence of security and privacy threats.

You might’ve seen Zoom making headlines when a massive security breach was detected wherein details of 500,000 accounts were being sold on the dark web. Trello too was also on the watch-list as a security scan in January 2020 revealed a ton of sensitive data about businesses using the app.

 

Cyber threats like these could put users in harm’s way, and worse, a hack or data breach could jeopardize businesses that use them. As businesses are still learning to embrace remote working, there’s a natural concern about the security of moving many processes online.

Recognizing the dire need to ensure the safety of these apps, Appknox has scanned and bench-marked the security levels of 8 apps that have experienced a sudden surge in demand. We’ll discuss the security issues lurking in these mobile apps and how to safeguard your users and business against them.

The security assessments below are based on results from Appknox Automated Vulnerability Assessment Platform. Watch the video below to know more about how appknox security platform works 

Security Assessment of 8 Popular Apps

1) Zoom

The Zoom video app was already popular among businesses, but its user base grew enormously when the lock-down was imposed on account of their free plan and the easy-to-use interface.

A security assessment of the mobile application detected the following:

  • Broadcast receivers that are set dynamically are not secure
  • Unsecured information was found in shared preference which should ideally be encrypted
  • Android component hijacking via Intent

 

Appknox Security Rating for Zoom App

 

The test revealed 3 medium-risk and 7 low-risk factors. This indicates a security rating of 14.08% unsecured. The consequences of such vulnerabilities could include fraud, privacy violations, identity theft, and reputational damage.

 

2) Trello

Trello is an online work board that helps share and keep track of tasks and projects. It’s been popular in work-spaces but has grown its customer base since more businesses need to manage their activities remotely.

Our security audit of the mobile app revealed a security score of 15.49% unsecured. It showed 8 medium-risk and 3 low-risk security issues including:

  • Storing information in shared preferences
  • Sensitive information leaks in the database
  • Unprotected exported activities and receivers

 

Appknox Security Rating for Trello

 

The implications of these security issues include compromised user credentials, fraud, privacy violations, information theft, and reputational damage.

 

3) Webex

Webex enables online meetings, presentations, and webinars and is used worldwide by some of the top companies. However, our security audit on the mobile app revealed some high risks associated with

  • Insufficient transport layer protection
  • Derived crypto Keys

 

Appknox Security Rating for Webex

That said, it also showed medium and low-risk security issues that put it at a security rating of 14.08% unsecured. Such cyber threats could cause privacy violations, information and code theft, and reputational damage.

 

4) Asana

Similar to Trello, Asana is a great app to manage remote and distributed teams while focusing on projects and tasks. The mobile app fared better than most in our security audit with a score of 11.27% unsecured. It showed 4 medium risks and 4 low risks that include:

  • Android service allows recording of audio and screen activity
  • Broken SSL trust manager
  • Disabled SSL CA validation and certificate pinning
  • Android service allows recording of audio and screen activity
  • Broadcast receivers that are set dynamically are not secure
  • Broken SSL trust manager
Appknox Security Rating for Asana

In the event a user is able to exploit these vulnerabilities, Asana could face data theft and damage to their reputation.

 

5) Go To Meeting

Go To Meeting was built for collaboration and meetings with colleagues, customers, and clients. With a sudden rise in demand for the mobile app, we included it in our security audit list to check if it was ready in terms of security to handle the popularity. However, we found a high-risk element on the app of derived crypto keys.

Apart from that, a number of medium and small risk security issues peppered through the app brought its security rating to 18.31% unsecured. They include:

  • Android service allows recording of audio and screen activity 
  • Broadcast receivers that are set dynamically are not secure
  • Broken SSL trust manager

 

Appknox Security Rating for Go To Meeting

 

While repercussions of data theft and fraud are implied, the audit also found that a sensitive data leak could inadvertently lead to further attacks.

 

6) Microsoft Teams 

This work collaboration app saw a rise of 12 million new users amidst the COVID-19 pandemic. The spike was seen from remote workers across the globe bringing its daily active users to 44 million. Bearing such a trusted name in the market, many users tend to leave their mobile app security protocol in the hands of Microsoft.

Our security assessment revealed a 14.08% unsecured rating with one high-risk element among a list of medium and low-risk ones:

  • Derived crypto keys
  • Broadcast receivers that are set dynamically are not secure
  • Android service allows recording of audio and screen activity
  • Android component hijacking via Intent

 

Appknox Security Rating for Microsoft Teams

 

These cybersecurity risks could be an invitation to bad actors to conduct fraudulent activities, violate privacy protocol, and steal coding and identities.

 

7) Notion

Notion helps blend everyday work apps into one to create an all-in-one workspace for your team. While stock markets plummet, Notion raised $50 million at a $2 billion valuation after the coronavirus pandemic spread to the U.S. This highlights just how profitable Notion has been and the potential it has in the market.

Under the security scanner, it’s security rating stood at 9.86% unsecured (the lowest in this list) as Appknox found two high-risk and two medium-risk vulnerabilities:

  • Insufficient transport layer protection
  • Disabled SSL CA validation and certificate pinning
  • Surreptitious sharing on Android
  • Android service allows recording of audio and screen activity
  • Broadcast receivers that are set dynamically are not secure
  • Android service allows recording of audio and screen activity
  • Android component hijacking via Intent
  • Storing information in shared preferences
Appknox Mobile Security Rating for Notion

The app could be susceptible to data theft and fraudulent activities. There’s also a mild chance of hackers intercepting user’s data and also inserting data to maliciously modify the app’s behavior.

 

8) Skype for Business

Skype made itself a household name for many not just in the realm of business but among family and friends. Being a pioneer in enhancing video and voice calling across the globe, this app is used abundantly in businesses especially for interviews and remote face-to-face meetings.

Our assessment of Skype’s security details revealed a 12.68% unsecured rating with a couple of medium and low-risk factors:

 

Appknox Security Rating for Skype

 

Alongside fraud and privacy violations, similar to Notion, the app has a low risk of being susceptible to hackers intercepting user’s data and inserting malicious code to alter the behavior of the app.

By helping you understand the security lapses lurking in mobile apps, we do not intend to discourage you from using them. Instead, our mission is focused on aiding businesses and users in taking better security measures while using these apps.

 

Best Practices for Mobile Apps During Remote Work

 

Mobile applications like the ones mentioned above do take stringent security measures, however, vulnerabilities tend to appear from time to time as the developers continue to modify and enhance the app.

The digital realm is riddled with attackers running all sorts of malicious activities making it difficult to say that any app is 100% secure. Nonetheless, there are a important security measures that you can implement to secure your app:

1) Always keep testing your app after every stage of development. Testing is so critical to your app’s security and performance. It will help you detect any security flaws and data leaks so that you can fix it promptly and avoid it snowballing into larger issues.

Appknox VAPT best pratices guide

2) Use a safe API and make sure unknown persons don’t have access to your app’s coding.

3) Devise your own Incident response in advance so that you are always prepared in case of an attack or breach of security.

4) Educate your users about in-built security features that they can take advantage of. For example, Zoom allows hosts of the meeting to lock the room and allow only users they recognize to join in. They can also set a password to join the meeting room making it quite secure as long as users implement these security measures on their own.

Taking such protective measures of your own can drastically improve the overall security of your mobile app.

What’s Next?

Shifting to remote working is a daunting task and without these mobile apps, it can become insurmountable.

Luckily, the many essential mobile apps and tools have helped businesses make a much smoother transition to remote working. Remote working is here to stay for a while, and it may change the way we run our businesses forever. It’s time to seize the opportunity to make the digital realm a safer place to operate businesses.

Our security team recommends incorporating automated mobile application security testing into your CI/CD pipeline so you can remediate security and privacy issues. In addition, manual penetration tests and architectural reviews with an eye toward specific goals of the apps being developed. Once again, if you’re developing a COVID-19 app for public use, we’re eager to help secure your app to further the mission of fighting the pandemic- Subho halder , CISO- Appknox

 

Appknox OWASP best practices for web & mobile apps

 

 

Published on May 19, 2020
Subho Halder
Written by Subho Halder
Subho Halder is the CISO and Co-Founder of Appknox. He started his career researching Mobile Security. Currently, he helps businesses to detect and fix security vulnerabilities. He has also detected critical loopholes in companies like Google, Facebook, Apple, and others

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now