A survey of “unsafe” applications has found that 85 per cent expose sensitive device data, and a third perform suspicious security actions.
The survey of 400,000 mobile applications by Veracode, found that 140,000 were deemed to be unsafe, and a third (37 per cent) checking to see if the device is rooted or jailbroken and another third (35 per cent) retrieve or share personal information about the user such as browser history and calendars.
Speaking to IT Security Guru, Veracode vice president of mobile security Theodora Titonis, said the behavioural analysis was on static applications which allowed it to see the application behaviour. “We found that three per cent of what we looked at were malicious apps and there was a high probability of it doing something like trying to root a device,” she said. “Also we saw that some were trying to get to the device identifying information and unique identifier to track the user. With an iOS flashlight app we found it
Titonis said that one problem is that apps are built using old code libraries and third party data, and there is no insight into what the libraries are doing, so businesses are reliant on verification services such as that offered by Veracode to do static analysis.
“Many mobile apps are unsafe because they unknowingly access insecure third-party libraries and frameworks in the software supply chain – while other apps have been specifically designed to perform malicious actions,” said Chris Wysopal, Veracode co-founder, CISO and CTO.
“Veracode’s automated cloud-based reputation service and MDM/EMM integrations were purpose-built to address the speed and scale required to effectively secure employee devices in global enterprise environments.”
Titonis said that the bigger problem with the mobile apps is that many people will download them to their corporate devices, there are options such as mobile device management and dual persona functions to keep apps apart, but often employees want convenience.
She said: “I look at tools as a programme to bring together security, IT and the business unit, but IT cannot keep up with blacklisting apps so they need to scale a programatic approach. When devices are issued, businesses need to decide what apps are allowed on the device, otherwise how do you know what apps are being accessed and what they are doing?
“The first phase is about working with the employee and if you find something you don’t want on the device, send notifications, then block enterprise email and finally remote wipe. It is better than blocking as an employee will find ways around.”
