Mobile devices, and Internet-enabled smartphones and tablets in particular, have quickly become the device of choice for many users for both leisure and business purposes. Such devices are considered to be the driving force behind the phenomenon of the consumerization of IT, as devices originally designed with consumers in mind become increasingly preferred in the work setting. This has led to the coining of the phrase “BYOD,” or bring your own device. However, consumerization is also extending to other areas, including the use of mobile apps.
The use of mobile apps is fast growing in importance and is a vibrant market. Gartner estimates that the market for mobile apps was worth some US$26 billion in 2013, up 44 percent from US$18 billion in 2012. In total, it reports that app downloads in 2013 numbered 102 billion, although it cautions that the majority of apps were downloaded for free.
As the number of mobile devices and apps proliferates, attacks against mobile apps and devices in general are also growing in importance and number. There are several ways that mobile apps can introduce security threats into an organization, with security issues including the potential for identity theft, unauthorized access to confidential data, altered data, unwanted phone calls, or denial of service.
An increasing number of apps contain a malicious payload, such as viruses or Trojans, that can be used to steal data or that can introduce threats to the organization’s network, especially since the majority have limited security controls on them. Malware affecting mobile devices in general is a fast-growing issue. The lack of authentication and authorization mechanisms for most apps can make data loss more likely, especially if a device is lost or stolen. And the use of cloud-based apps, for storage in particular, is a further risk to data loss.
ENISA, the network and information security agency of the EU, recently identified five key lines of defense for protecting against mobile malware and insecure apps, with a particular emphasis on how app stores should be used, since these are fast growing in popularity:
- Review all mobile apps before admitting them to the organization’s app store using both static and dynamic analysis tools, as well as manual reviews that place an emphasis on sensitive functionality.
- Take reputation into account. This includes both the reputation of the developer of the app as well as the ratings given to apps in other app stores. However, consideration should go beyond mere functionality, which is the main point of concern for most users that rate apps, and should also take into account security and privacy issues, such as whether the app asks for excessive privileges at install.
- Smartphone platforms should support app revocation, which is also known as a kill switch, so that apps that have been installed can be remotely removed if they are found to be insecure or to contain malware.
- To reduce the impact of malware, all apps should be run in sandboxes prior to being installed. This also allows fine-grained security policies to be “wrapped” around individual apps before they are released to users, so that multiple layers of protection can be applied and access to corporate data can be controlled. An alternative approach is to containerize apps by placing them in a separate, encrypted zone. However, this is only available for apps for which the vendor that developed them supports such an approach.
- Apps should only be installed from reputable sources, such as one or more designated app stores. However, such policies should not be overly restrictive and should allow an element of legitimate competition and user freedom or users will not adhere to such policies.
Mobile devices offer significant opportunities in increasing productivity and catering to demands for flexible working styles, which can improve employee morale. However, even though threats against mobile devices have started to gain considerable attention recently, many organizations still have their heads in the sand. They need to consider the full range of threats that they face and take the appropriate steps to guard against them. In particular, organizations that allow the use of personally owned devices must carefully weigh the risks of rogue or insecure apps against the freedom of allowing users to work in the way that best suits them and of allowing them to install their own apps for their personal use.