Communication, social media and news mobile apps top the riskiest list of 34 Android app categories analyzed in the March 2014 Marble Security Labs’ Mobile App Threat Report.
Based on an analysis of more than 200,000 Android apps in 34 categories during February 2014, Marble Security ranked these as the 10 riskiest mobile app categories:
Surprisingly, the lowest risk category was games, followed by app widgets and wallpapers. The research proved that some mobile app categories put companies and users at more risk than others according to Marble Security Founder and CTO David Jevans.
News and magazines
Media and video
Travel and local
Music and audio
And, mobile threats are not just about malware. Even seemingly innocent apps can pose data leak risks as they feed information to advertising engines or hackers’ servers, comb through contacts or emails, or exchange documents.
"Innocent" apps can take even more advantage of naive companies. Jevans told Mobile Enterprise in an interview, "Most businesses are not aware of the risks associated with apps that their employees use, and, in our experience, most do not yet have policies for their employees."
Jevans pointed out that mobile security is a new and rapidly evolving field, but the threat is not. "Companies really need to be aware that the multi-billion dollar cybercriminal gangs that attacked us through our PCs are active and hungry to attack us through our mobile devices. The technology that they deploy is sophisticated and automated and stealthy, so that it is very hard to prevent these attacks without sophisticated security software and network monitoring, just as we have seen in the traditional PC environment," he said.
Defining the Risk
To determine and rank the riskiest types of apps, Marble Labs measured threats in these risk types:
Privacy: These apps may leak user identifiable information to third parties.
Data Leakage: These apps expose companies to loss of data, such as files and corporate directory information.
Account Takeover: These apps exfiltrate or access user credentials, creating the risk that online accounts may be taken over.
Device Takeover: These apps expose data about the device and its network services that may result in device takeover or cloning.
Malware: Apps that are purely malicious are categorized as Malware.
Marble Labs assigned a risk score for each of the five risk types, based on weighted scores of the permissions that an app requests, the APIs that an app can call, actual code execution of those APIs and whether sensitive data is actually sent from the device.
Apps with risk scores two standard deviations or higher than the group’s mean average were judged as exhibiting risky behavior, and the categories were ranked based on those categories with the highest percent of these “risky” apps.
Need more proof? The Target breach, where it appears that hackers took advantage of its refrigerator vendor’s system, and every major other breach of late shows that there are a myriad of ways that attackers come at us. Jevans noted, “There have been many attacks through mobile devices, but many go undetected and unprevented because of the relative immaturity of mobile security technology.”
While users must be aware about which apps they install and how they disclose their information, companies must be even more diligent about allowing apps on their employees’ devices, as apps can pose a significant risk of data, credential and corporate information disclosure.
Apps that may be acceptable to “consumers” can expose companies to risks that may leak data or create the risk of advanced persistent threats (APTs) by mining corporate contact databases, phone call traffic and SMS traffic.
The report provides examples of some of the ways in which risky app behavior can pose a threat:
Health, fitness and lifestyle apps read user data. Health, fitness and lifestyle apps often poorly protect user data and privacy. This is presumably because developers of these apps want to learn as much about a user as possible in order to tailor fitness programs, as well as to offer other products for sale. However, this data mining can expose corporate data or address book information, which then leaves a company’s control. In fact, some health, fitness and lifestyle apps display characteristics common to malware.
Communication apps are more risky than previously thought. Communication apps can pose a risk to companies. Many of these apps mine the user’s contact database. If those databases get data and updates from the corporate Active Directory, then apps can mine that data and send it to third parties over the Internet. These apps often mine phone call logs and SMS logs too. It can be very risky for businesses to allow employees to use communication apps on their devices that have not been analyzed, especially if their contact database is connected to a corporate directory.
Social media apps are among the riskiest. An analysis of more than 4,500 different social media apps determined that this category poses a high risk to companies, employees and individuals. Some social media apps are very well-behaved and pose little risk. However, there are hundreds of social media apps that expose users and their companies to data loss, account takeover and privacy violations. More than 100 social media apps exhibit behavior common to that of malware.
“As enterprises adopt BYOD programs, and diversify the mobile platforms to encompass iPhone, iPad, Android and Windows 8 devices, they will have to adopt comprehensive and adaptive security solutions. Cyber criminals, hackers and hostile governments have learned that our employees are not just using laptops to access our infrastructure. Employees are using mobile devices, and the attackers are going after them,” said Jevans.
For example, if a corporate Active Directory database is leaked to the Internet through an app, and it leads to a targeted attack that divulges corporate secrets or passwords to cloud services or or internal systems, this is difficult to detect and trace the provenance of the attack, according to Jevans. “This is why APT protection must not just be on corporate networks, but must be applied to mobile devices and networks,” he said.
Mitigating the Risk
Smart enterprises are implementing technologies to assess the behavior of apps that employees are using, and determining whether they pose a risk to the company. They are also providing polices around devices, data and apps.
According to Gartner Research as threats to the enterprise shift and new platforms for conducting business operations emerge, security and risk leaders have to adapt strategies as well. Mobile apps are just one factor in what the firm calls the Nexus of Forces, which “challenges legacy security infrastructure and forces risk managers to integrate new concepts into their risk processes.”
And, although Gartner identifies these four, separate factors, the company warns: “It is critical that security and risk strategies focus on the nexus, or intersection of these factors. Cloud, mobile, social and big data are overlapping, integrated forces. Effective security and risk management is based on how people actually use these new capabilities. People do not see a separation between these forces: they use mobile devices to access cloud services (many of them social interaction services) that rely on big data to support user requests. The Nexus of Forces is a seamless environment for employees and security must manage the security of enterprise accordingly.”