You likely use apps every day, from trivial games to important transactions like your banking. It can be easy to forget to update them. But all of the data flowing through those apps has an impact on security. It’s important to apply software updates and patch management best practices to them.

At the beginning of 2021, Simform reported that the average person had 40 apps installed on their phones and split 89% of their time between 18 of them. Millennials had even more apps installed on their devices at an average of 67. Those respondents spent most of their time on just 25 of them. More than half (58%) of those ‘popular’ apps included social media, gaming and communication, with users turning to maps, finance and other apps on an as-needed basis.

It’s not just the fact that mobile apps are more prevalent on users’ devices. They’re more prolific in general. For instance, Statista found that the total volume of apps on Apple’s App Store reached 2.22 million in the first quarter of 2021 — 6.10% higher than it was the previous quarter. Google’s app marketplace witnessed a 10.60% increase in the volume of apps during the same period, as reported by the market and consumer data company in September. You don’t have to do manual patch management on all of them, but should be aware of how they update.

App Update Business Benefits

The key benefit behind the use of apps is personalization. This logic flows both ways. Consumers who use apps can expect a more convenient and personalized experience than from the same service’s web portal. Businesses can also mine more data from their customers from an app than from a website. Organizations don’t always know what to do with customers’ address books, calendars and other data, noted Marketplace, but collecting that data now gives them the chance to find uses for it later on.

That data collection carries privacy and security risks for users, however. Consumers might not know which pieces of information they’re giving up in using an app. They can use the privacy policy to get an idea, but each privacy policy is different. There are no standards or regulations surrounding them. As a result, it might not always be clear which types of data users are giving to an app — even one with a privacy policy.

As for security, apps can expose users to potential threats. Apps don’t always update on their own, after all. Attackers could use software flaws to access the information handled by those apps. They could also take advantage of app weaknesses to gain access to the devices and/or machines on which they’re installed.

Software Updates to the Rescue

The threats discussed above emphasize the importance of software updates (from the user side) and patch management (from the enterprise side). According to Norton, running software updates helps to prevent malicious actors from taking advantage of operating systems and apps to access sensitive information. This translates into more robust digital security not only for users themselves but also for their social circles. Indeed, attackers have used malicious WhatsApp mods and other device compromises to pass on their threats to other people in a victim’s address book. By keeping software updates in mind, users can reduce the attack surface.

Updates don’t just address security weaknesses, either. They’re also useful for introducing new features and fixing bugs. Some of those updates could therefore allow users to take more granular control of their data privacy or security. Others could help an app to work more seamlessly with an OS update on a user’s device. Failure to update could therefore affect the function of the app and, by extension, a user’s productivity in certain cases.

Software Update and Patch Management Best Practices

Users and organizations alike can make the most of their software updates and patch management by creating an asset inventory. This is the logic behind the Center for Internet Security’s Critical Security Control (CIS Control) 2. Software inventory can identify authorized software, a resource that security professionals can use to inform their efforts. They can subsequently leverage that inventory to remove software that’s unauthorized or unmanaged, thereby helping to reduce the attack surface.

At the same time, organizations can use an updated asset inventory to perform other critical security functions. Those initiatives include using CIS Control 4 to maintain the security configurations of organizations’ assets. To do this, organizations can set a baseline for how their software is expected to behave. They can then monitor that behavior against the baseline. If there’s any unexpected deviation, teams can take action to return the software and the way it behaves to the baseline.

Second, make sure you’re paying attention to patch management for critical software vulnerabilities. All vulnerabilities carry some level of business risk. That’s because different assets hold differing levels of value to the business. Know which of your critical assets could expose sensitive information and handle them first.

Finally, don’t run software updates while connected to untrusted networks. The danger here is that malicious actors could use an untrusted network connection to inject themselves into the update process. From there, they can install malware or profile the victim’s system for follow-up attacks. During this process, follow the U.S. Cybersecurity & Infrastructure Security Agency and use a Virtual Private Network connection to a trusted network before applying the updates.

Make Patch Management a Habit

Software updates and patch management are part of life in the digital age. It’s just like brushing one’s teeth: a regular practice for most people, but what that means differs from person to person. The hygiene is what counts. Indeed, by using the software update best practices discussed above, organizations and users can elevate software updates and patch management from something that might be inconvenient to something that lays the foundation for all security efforts and drives their interests forward.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…