In June 2019, a study on mobile app vulnerabilities presented some incredible and worrisome findings. Most notably, high-risk vulnerabilities were found in 43 percent of mobile apps for Android and 38 percent for iOS, according to Positive Technologies. Now, consider this: In terms of market share, per IDC, Android owns nearly 87 percent and iOS owns around 13 percent.

Putting it all together, what does this mean for mobile security?

It means that many of us are walking around with devices that are probably highly exposed. The mobile security problem doesn’t just present high risk to individual users and organizations, but it is also widespread, making mobile device management (MDM) doubly difficult.

Balance Business and Security Needs

The magic act of identifying the right mobile security solution for you means finding that happy balance between the speed of business and the necessity of security. Along the spectrum today, these two issues could not be further apart.

If I’m a business professional, I want every tool, every piece of data and every gizmo possible on my mobile device so I can pull it up in a flash, analyze and crunch the data and, quite candidly, make the sale. That’s my driver. Anything that slows me down just prevents me from conducting my business. I really don’t want to expose the business to any harm, but I need to get my job done and I can’t be slowed down by security.

On the other hand, if I’m a security professional, I want to limit every tool that isn’t deemed necessary (and test the ones that are), limit what data can be viewed and ensure these gizmos aren’t creating a mess that I’m going to have to clean up later. Honestly, I don’t want to slow down the sale, but I also don’t want to leave such a glaring hole in our security posture that we lose the company at the cost of closing a deal.

As you can see, these two interests couldn’t be further apart. The situation reminds me of the old saying: “Don’t lose sight of the forest for the trees.”

Both users and security staff need to be cognizant of the fact that they’re operating in the same forest, and it’s not that one grows the forest and the other protects it. Rather, both are responsible for growing and protecting it. It’s a shared responsibility.

So how do we get to a mobile security solution that grows the forest?

Assess Your Environment First

With so many technical solutions out there, the key to getting it right begins with asking the right questions. That means making the correct assessment of your IT environment. On the best of days, this is no easy task, but along with defining your risk tolerances and understanding your business processes, these three areas require an in-depth and sober understanding if you want to get your security process right.

Get these wrong, and you might find yourself going out of business in the near future. Go security-heavy, and you may find yourself unable to conduct business. Go business-heavy, and you may find yourself out of business because a malicious actor just stole all your intellectual property, competitor analyses and bid strategies.

So how should you go about assessing your environment for a mobile world? IBM Security developed a handy best practices white paper that is a great place to start when trying to decide what your mobile security path should look like.

Is BYOD Worth the Additional Risk?

I want to focus on best practices Nos. 7 and 8, because those are the ones that pay specific attention to mobile apps. I’m personally not a big fan of bring-your-own-device (BYOD); it presents an unbelievable convenience for so many users, but the associated enterprise security risks are becoming a bit too unwieldy for my liking. Therefore, if I’m part of the C-suite, I’m really starting to reconsider these practices.

Here’s why: I’m not all too concerned about the technical solutions. They’re actually becoming quite good. You can sandbox applications, there are service kiosks that allow only approved mobile apps and endpoint management tools are only getting better with the integration of artificial intelligence (AI). My concerns rest elsewhere — human behavior and potential legal issues — but first, a quick comment on technological gaps.

Good code is expensive. It’s an important issue because, as the Positive Technologies report stated, “Risks do not necessarily result from any one particular vulnerability on the client or server side. In many cases, they are the product of several seemingly small deficiencies in various parts of the mobile application.”

Mobile apps also present a “death by a thousand cuts” scenario, which is another reason why I think BYOD practices need to be reevaluated.

Decide How Much Risk You Are Willing to Accept

Back to human behavior and potential legal issues. Just like phishing, where one bad click could expose you to an array of nastiness, the same can be said for one bad mobile app. Therefore, if you’re following BYOD practices, make sure to look at step No. 7 from the IBM Security white paper and ensure your MDM solution is locking down what needs to be locked down.

If you follow the best practices guide, points No. 7 and 8 speak of control on the device and device location abilities. That’s where I see legal issues, such as privacy concerns, on the horizon. Sure, employees can agree to certain terms, but if I’m using a personal device, why shouldn’t I be able to download any mobile app I want? Who cares if the app may have flaws? The device is mine, after all, isn’t it?

It all comes down to determining what level of risk you’re willing to accept. It’s always going to come back to that, along with knowing your environment and understanding your business processes.

Therefore, with so many risky mobile apps out there, one way of reducing this risk may be to start looking into your BYOD practices and determining if they make sense for your organization. The convenience may not be worth the hassle.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read