How to Reduce the Risk Posed by Vulnerable Mobile Apps

July 30, 2019
| |
4 min read

In June 2019, a study on mobile app vulnerabilities presented some incredible and worrisome findings. Most notably, high-risk vulnerabilities were found in 43 percent of mobile apps for Android and 38 percent for iOS, according to Positive Technologies. Now, consider this: In terms of market share, per IDC, Android owns nearly 87 percent and iOS owns around 13 percent.

Putting it all together, what does this mean for mobile security?

It means that many of us are walking around with devices that are probably highly exposed. The mobile security problem doesn’t just present high risk to individual users and organizations, but it is also widespread, making mobile device management (MDM) doubly difficult.

Balance Business and Security Needs

The magic act of identifying the right mobile security solution for you means finding that happy balance between the speed of business and the necessity of security. Along the spectrum today, these two issues could not be further apart.

If I’m a business professional, I want every tool, every piece of data and every gizmo possible on my mobile device so I can pull it up in a flash, analyze and crunch the data and, quite candidly, make the sale. That’s my driver. Anything that slows me down just prevents me from conducting my business. I really don’t want to expose the business to any harm, but I need to get my job done and I can’t be slowed down by security.

On the other hand, if I’m a security professional, I want to limit every tool that isn’t deemed necessary (and test the ones that are), limit what data can be viewed and ensure these gizmos aren’t creating a mess that I’m going to have to clean up later. Honestly, I don’t want to slow down the sale, but I also don’t want to leave such a glaring hole in our security posture that we lose the company at the cost of closing a deal.

As you can see, these two interests couldn’t be further apart. The situation reminds me of the old saying: “Don’t lose sight of the forest for the trees.”

Both users and security staff need to be cognizant of the fact that they’re operating in the same forest, and it’s not that one grows the forest and the other protects it. Rather, both are responsible for growing and protecting it. It’s a shared responsibility.

So how do we get to a mobile security solution that grows the forest?

Assess Your Environment First

With so many technical solutions out there, the key to getting it right begins with asking the right questions. That means making the correct assessment of your IT environment. On the best of days, this is no easy task, but along with defining your risk tolerances and understanding your business processes, these three areas require an in-depth and sober understanding if you want to get your security process right.

Get these wrong, and you might find yourself going out of business in the near future. Go security-heavy, and you may find yourself unable to conduct business. Go business-heavy, and you may find yourself out of business because a malicious actor just stole all your intellectual property, competitor analyses and bid strategies.

So how should you go about assessing your environment for a mobile world? IBM Security developed a handy best practices white paper that is a great place to start when trying to decide what your mobile security path should look like.

Is BYOD Worth the Additional Risk?

I want to focus on best practices Nos. 7 and 8, because those are the ones that pay specific attention to mobile apps. I’m personally not a big fan of bring-your-own-device (BYOD); it presents an unbelievable convenience for so many users, but the associated enterprise security risks are becoming a bit too unwieldy for my liking. Therefore, if I’m part of the C-suite, I’m really starting to reconsider these practices.

Here’s why: I’m not all too concerned about the technical solutions. They’re actually becoming quite good. You can sandbox applications, there are service kiosks that allow only approved mobile apps and endpoint management tools are only getting better with the integration of artificial intelligence (AI). My concerns rest elsewhere — human behavior and potential legal issues — but first, a quick comment on technological gaps.

Good code is expensive. It’s an important issue because, as the Positive Technologies report stated, “Risks do not necessarily result from any one particular vulnerability on the client or server side. In many cases, they are the product of several seemingly small deficiencies in various parts of the mobile application.”

Mobile apps also present a “death by a thousand cuts” scenario, which is another reason why I think BYOD practices need to be reevaluated.

Decide How Much Risk You Are Willing to Accept

Back to human behavior and potential legal issues. Just like phishing, where one bad click could expose you to an array of nastiness, the same can be said for one bad mobile app. Therefore, if you’re following BYOD practices, make sure to look at step No. 7 from the IBM Security white paper and ensure your MDM solution is locking down what needs to be locked down.

If you follow the best practices guide, points No. 7 and 8 speak of control on the device and device location abilities. That’s where I see legal issues, such as privacy concerns, on the horizon. Sure, employees can agree to certain terms, but if I’m using a personal device, why shouldn’t I be able to download any mobile app I want? Who cares if the app may have flaws? The device is mine, after all, isn’t it?

It all comes down to determining what level of risk you’re willing to accept. It’s always going to come back to that, along with knowing your environment and understanding your business processes.

Therefore, with so many risky mobile apps out there, one way of reducing this risk may be to start looking into your BYOD practices and determining if they make sense for your organization. The convenience may not be worth the hassle.

George Platsis

George Platsis works with the private, public and nonprofit sectors to address their strategic, operational and training needs, focusing on projects related ...
read more