- Security TWENTY
- Women in Security Awards
Enterprises are playing Russian roulette with mobile apps, writes Vincent Smyth, Senior Vice President EMEA, Flexera Software.
As businesses roll-out their BYOD strategies, most CIOs and CEOs have no idea that many of the mobile apps allowed to touch corporate systems and data engage in risky behaviours that could compromise data security and policy. This danger was underscored recently when a free app – Flashlight, which activated the phone’s flash function to use it as a flashlight, secretly recorded personal user information such as location of phone, details of the owner, etc, and sent it on to advertisers. In fact, an alarming percentage of mobile apps being used within the enterprise are able to access sensitive device functions, or otherwise exhibit behaviour that may pose security risks to the organisation and violate its Bring Your Own Device (BYOD) policies. Without understanding what these apps do and how, organisations are playing Russian roulette with their security.
Forget hacker threat and malicious software for a moment. Seemingly harmless, everyday apps that abound on every employee’s mobile device could serve as that unexpected bullet in the chamber. This is because mobile operating systems include APIs that apps can use to access potentially confidential, proprietary or sensitive data, like contact lists, photos, and calendars. In addition, apps could access corporate social media accounts accessible on the device as well as built-in hardware features like GPS, camera, audio recorder, etc. In fact, many apps have undocumented features that could be used for malicious or harmful purposes.
The risk to organisations is high, because most IT teams don’t have the same insight into and control over mobile app behaviours as they do with traditional enterprise software. So it’s essential that they adopt the same best practices and processes to prepare mobile apps for delivery, as they do with desktop and other applications. As IT teams begin to analyse mobile apps and start building institutional knowledge around their behaviour, they can substantially reduce the Russian roulette effect that mobile apps currently post.
Arrrrr! (Application Readiness Reduces Russian Roulette Risk)
Organisations with mature internal processes adopt Application Readiness best practices, processes and technology to prepare enterprise apps for internal roll-out – whether they’re physical, virtual, cloud, desktop or mobile applications. This provides a standardised best practice method for reliably and predictably testing, packaging and deploying apps into the enterprise.
Through Application Readiness automation IT will gain essential insights into mobile app behaviour. For instance, application reputation scanning, which examines app properties and configuration, determines the mobile device features that the app uses and will issue a report that can be used to establish policies that define which behaviors are risky. These policies can then be used by the Application Readiness solution to automatically identify risky apps, allowing IT to manage them appropriately.
Identifying and effectively managing risky mobile apps not only minimises risk but also enhances the user experience. Employees can use authorised apps with confidence, knowing they’ve been thoroughly vetted. And security officers will have greater confidence that danger has been averted by avoiding apps that exhibit risky behaviours, or by eliminating those risky behaviors before they’re allowed access to the corporate network.
Many organisations add new teams to deal with mobile apps and app security. However, existing teams should have all the experience necessary. IT organisations that already leverage Application Readiness best practices, processes and technology to safely and reliably deploy enterprise apps can extend these same processes for mobile apps. And in doing so, companies will simultaneously improve operational efficiency and ensure a standardised process for deploying all applications. Adding mobile apps simply involves extending the familiar process to additional formats, operating systems, and deployment solutions such as mobile device management systems.
For instance, Application Readiness teams have already proven their ability to deal with new formats (application virtualisation) and new operating systems (Windows 8). The same teams are also likely to be involved with preparing desktop apps for mobile device access via Citrix/RDS. So adding mobile apps that can use a single, standardised and consistent Application Readiness process across all enterprise applications, including mobile apps makes sense. Leveraging their knowledge and efficiency translates into greater IT agility and lower cost in maintaining Application Readiness
Even the most innocent mobile apps can pose tremendous risk to organisations unaware of how their design and function can access sensitive data and, potentially, disseminate that data in violation of BYOD policies. By taking a comprehensive approach to managing the entire enterprise application lifecycle – including mobile apps, organisations can leverage existing staff, expertise and technology to test mobile apps, understand their threat potential, and take appropriate measure. After all, you’re not really playing Russian roulette if you don’t play with loaded weapons.