ESPN App Could Steal Your Enterprise Data
By Lori Castle, Editor in Chief
With somewhere between 10 and 50 million downloads in the Google Play store alone, and with 39% of the U.S
. workforce being mobile, chances are the ESPN ScoreCenter app is running on a large majority of your own workforces’ devices if you support BYOD.
Zscaler, using its own Zscaler Application Profiler (ZAP), an online tool to assess mobile apps for security risks, discovered that the app had significant security vulnerabilities that could compromise users’ mobile devices, including the threat of data theft.
The flaws in the ScoreCenter app, according the Zscaler blog, were fixed by ESPN the day after they were originally reported, but this is just one of millions of consumer apps, which highlight a growing problem for the enterprise. The BYOD culture is evolving into a BYOA(pps) culture and consumer-grade mobile apps with only limited security measures are finding their way into the business.
ZAP lets users search the name of any iOS or Android app, and receive an instant assessment of its security and privacy risks, along with an overall risk score. The solution can also scan traffic from an app installed on their device to see whether data is being exposed.
"It's important to remember that many mobile apps are not native applications— they’re essentially web pages displayed in a WebView control, or even just web content mixed in with native controls," said Michael Sutton, VP, security research, Zscaler ThreatLabZ. "As such, vulnerabilities common to web applications can also occur in mobile apps. Users should be aware that such vulnerabilities in mobile apps often remain hidden, as apps don’t have the same visual indicators to show that data is being sent insecurely."
The native versus hybrid versus HTML5
discussion is ongoing in the enterprise for not just UX, but security as well. And, while many companies are turning to MEAPs
to better enable secure development, that doesn’t help with BYOA.
Greater App Risk through Device Choice
There’s not much argument about which device causes the largest risk to the corporate environment because of the way app development is handled. Plus, there are reportedly more than 100,000 (depending on the source) hacked versions of apps available in the Google Play Store.
Jeff Koonce, IT infrastructure manager for Our Kids of Miami-Dade, FL, and contributing editor for Mobile Enterprise,
"Even though Android devices have made a huge impact in the consumer market, it is still the lowest rated enterprise
device when it comes to levels of security and manageability."
Kapersky Labs reported that cybercriminals are focusing
primarily on the Android platform, and considering that Samsung devices recently overtook
Nokia and caught up to Apple in the global market, this risk is only growing.
And, despite the notion that Apple is totally safe, jailbroken devices notwithstanding, according to a CNN
report, Apple’s bid for the enterprise and an iOS update resulted in “more robust security features,” but also unintentionally may have apps developers going softer on security. Instead, they rely on Apple for protection.
Contain, Manage or Develop?
Because there is not one type of mobile environment, there is not just one answer for handling the issues that come with the BYOA trend, and none of the answers are simple.
A black and white choice, or more like back and forth, is that of containerization. There are many options available and the solution is layered on the device to enable total separation between work and personal. It does, however, affect the UX, which can, in turn, affect productivity.
The new BlackBerry 10
has containerization built in to the device and touts the optimal UX. Active sync connects basic policies in a non-BlackBerry Enterprise Server (BES) Exchange environment, but when it comes to optimal "container" functionality, it's all about BlackBerry Balance, which can only be fully leveraged through a BES.
"Activating a BlackBerry 10 smartphone against BlackBerry Enterprise Service 10 will provision the workspace and enable BlackBerry Balance," Jeff Holleran, senior director, enterprise product management for RIM explains. It provides total separation of work and personal, and full enterprise control to manage and wipe the work side of the device.
Mobile application management (MAM) is meant to handle enterprise apps. 451 Research in its "Mobile Management Disorder" report offers this recommendation: "Apps in public app stores cannot be fully managed using MAM, which focuses on distribution of applications and managing their use, licensing, policies and removal. Security and management policies can be added, particularly where app developers have not provided this capability to their app natively. The policies include encryption of data, preventing the
cutting or copying of data, use of app-level VPNs, and checks for device integrity."
Corporate usage policies should also clearly cover consumer apps at work. And blacklisting apps can help as well. Make sure to communicate these policies and put them in a place easily accessible to mobile workers.
It’s possible the enterprise could at least curb the BYOA trend by developing the apps "prosumers" are downloading to help them work better. There will still be the occasional sports, shopping or gaming app, but at least corporate data will not intentionally be flowing through these.
There’s plenty of research
showing that companies are planning to increase the amount of apps they offer, but, enterprise apps are developed at a slower pace than their consumer counterparts, due, in part, to security requirements.
Mobile security in general is a top priority this year for a majority of companies, and they will need to make sure BYOA is a part of this focus.