Mobile apps can be a nightmare for IT. There are millions of them, and most were developed without any concern for security. Some IT organizations have tried to counter potential threats from mobile apps by blacklisting programs they deem risky, but that's not always effective.
Here are the top pitfalls of blacklisting, and alternative approaches to controlling the chaos that can result when a company's employees are working on mobile devices connected to the company network.
The 20 most-blocked mobile apps
An analysis by Appthority of the blacklists of its enterprise customers is revealing. For example, here are the top 10 Android apps blackballed by enterprises:
- Poot-debug(W100).apk
- AndroidSystemTheme
- Where's My Droid
- Weather
- Wild Crocodile
- Star War
- ggzzversion
- Boyfriend Tracker
- Chicken Puzzle
- Device Alive
In its analysis, Appthority ranks risk on a scale of 1 to 10, with 1 being the lowest risk. Eight of the apps in the Android top 10 had a risk score of 9, primarily because they contained malware. The other two apps—Boyfriend Tracker and Chicken Puzzle—scored a 6 because of data issues or privacy concerns.
On the iOS side of things, these apps were blacklisted the most:
- WhatsApp Messenger
- Pokémon GO
- WinZip Utilities
- CamScanner Productivity
- Plex
- Facebook Messenger
- eBay Kleinanzeigen
- Netease News
- Device Alive
The seven riskiest apps scored a 7. Their sins included sending SMS messages or sensitive data without encryption. Three programs—Pokémon GO, Plex, and Device Alive—scored a 6 because they did things such as access address books and cameras without permission and tracked a phone user's location.
Blacklisting's deficiencies
While these 20 apps were the most commonly blacklisted, there were plenty more in Appthority's list of 100 enterprise apps that were as risky or riskier to use. Many of those apps ask for permissions that can be a prelude to risky behavior—the ability to read and send text messages, for example, or access a phone's camera, microphone, and address book.
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, said the proof was in the permissions.
"Users should avoid installing apps that require too many dangerous permissions. The more permissions an application has, the more risk it presents in the case that it's hacked."
—Leigh-Anne Galloway
The sheer volume of apps available to users can make blacklisting problematic. "Blacklisting apps has never had much success in stopping breaches in the PC world, and I don't see it as working in mobile either," said Georgia Weidman, CEO of Shevirah, a provider of tools for assessing and managing mobile device risk.
"If you blacklist an app, a million more with those same issues will take their place. Taking a set of apps and blacklisting them isn't going to solve any particular problem."
—Georgia Weidman
What's more, one enterprise's risky app is another's anointed app. "WhatsApp is on the list of bad apps," Weidman noted, "but a lot of organizations use WhatsApp or a similar secure, encrypted messenger for corporate communication."
We can't look at every application deeply enough to say yes or no definitively about whether its risky behavior is due to a sloppy developer or someone with malicious intent, she added.
Shadow IT complicates security
Making matters worse, employees often use productivity apps without IT's knowledge. Referred to as shadow IT, this practice has become prevalent within the bring-your-own-device (BYOD) culture, where people use their personal devices and download apps without informing IT, explained Michela Menting, digital security research director at ABI Research.
This is not always done maliciously by the employee, she said. Often they do this in good faith, to increase their productivity or facilitate their work in some way, she said.
"They forget that by not telling IT, they can put their organization at risk."
—Michela Menting
By keeping IT in the dark, mobile users broaden the attack surface available to an organization's adversaries. "BYOD extends your corporate environment to your employees' homes, vehicles, neighborhoods—and then enables them to bring whatever they picked up into your environment," said Devon Kerr, principal threat researcher at Endgame, a maker of cybersecurity solutions for enterprises.
"It is an inheritance model that is being taken advantage of by threat actors to gain a foothold in otherwise resistant organizations."
—Devon Kerr
One of the riskiest apps for an enterprise may not appear on any top 10 list at all: email. Email is risky for two reasons. Corporate credentials are needed to access a mailbox, and email is used to share a lot of sensitive corporate information.
Whitelisting apps can help
If emails or credentials are stored somewhere other than on a device or are accessible to a third party, in any way, the business is at significant risk, said Matt Hathaway, Senior Director of Product Marketing at Uptycs.
"The most important action for IT staff to take around email apps is to evaluate the most common, whitelist those that are secure, and configure their email servers to decline authentication attempts from any apps which aren't on this whitelist," Hathaway said.
For external programs, whitelisting should extend beyond email apps to all external mobile apps, added Positive Technologies' Galloway. "IT must also create rules" for the use of personal devices that can be used for work, she said.
Another approach is to host all applications accessible to a user's phone. Then when employees attempt to access corporate resources, they can do so only through the hosted apps. That essentially makes the phone act like a remote desktop client.
Daniel Kennedy, research director for information security and networking at 451 Research., said that in a true BYOD environment, IT's ability to control risky apps is limited. Enterprise mobility management or mobile device management tools provide part of the answer by allowing for capabilities on employee-owned devices, such as access revocation, conditional access, data wipe, additional authentication, and data separation, he said.
"Blocking access to company data or blacklisting certain apps based on risk are other options."
—Daniel Kennedy
Gautam Aggarwal, CMO and head of products at NSS Labs, a security testing, enterprise research, and threat analysis company, agreed that keeping a tight rein on access is a key to reducing mobile app risk. "The best approach to mitigate potential risks is to establish access-control policies that govern the use of mobile applications and, specifically, access to high-value applications and data on the network," he said.
"Regardless of your organization’s size, maintaining visibility into the types of devices accessing applications on the network is crucial to maintaining a proper security posture."
—Gautam Aggarwal
Thwarting threats with SIEMs
That kind of visibility can be obtained through the use of security information and event management (SIEM) software. SIEMs collect information from multiple network sources and analyze that data for potential or existing threats.
The tools monitor network activity and can generate alerts when suspicious activity is encountered, said Avast researcher Martin Hron.
"When used properly, a SIEM can notably reduce the risk of an enterprise network being infiltrated by malicious mobile applications installed on employees' phones."
—Martin Hron
To fully address mobile threats, though, a SIEM may need additional help. For example, some tools can track security issues on mobile devices and make that information available to a SIEM through APIs. This allows the SIEM to centralize both device monitoring and incident response.
SIEMs can help detect malicious activity from mobile apps if the company also uses an enterprise mobility management solution, which accumulates mobile device data, Positive Technologies' Galloway explained. "In those cases, a SIEM helps detect incidents such as theft of a device or confidential information."
Nothing's perfect
A word of warning for SIEM shoppers was voiced by Endgame's Kerr: "A SIEM is only as good as the human beings who are monitoring it and the procedures those human beings developed. If your organization is already struggling to monitor social media, monitoring mobile devices is going to be exceptionally challenging."
"Mobile device management, enterprise mobility management, mobile antivirus—pick your poison—they all provide value in controlling mobile apps," added Shevirah's Weidman. "But just as we still see PC malware, none of these products are going to 100% protect you.
"You have to accept that potentially malicious apps are going to get in your enterprise environment, so your goal should be to make sure that they do as little as possible to harm you when they do."
—Weidman
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.