Saturday, 3 January 2015

Is Your Favourite App Sharing Corporate Data

Is Your Favorite App Sharing Your Company’s Data

Over the first half of this decade, countless devices have been injected into the corporate workforce by the BYOD (Bring Your Own Device) trend. Security professionals expected mobile viruses and malware incidents to tag along with them, resulting in a huge uptick in incidents mirroring the situation that began in the PC ecosystem fifteen years ago. 
However, these worries have largely been in vain, according to a recently released report from app analysis vendor Appthority, mobile app data leakage and collection is posing a far greater risk to business users than anyone could have imagined. 
The culprit?  Data mining by Apps.

Digging For (Your) Gold

The report detailed the widespread collection of data by the current top 100 free and top 100 paid apps on both Android and iOS smartphone platforms. Appthority ran a comprehensive range of static, dynamic and behavioral analysis against all 400 apps in a test environment.
The report showed that among free Android apps, 88% of the top 100 apps available on Google Play collect user data in the form of, unique device identifiers (UDIDs) or IMEIs, while 82% engage in location tracking and 30% access users' address books. These are typically default settings.

Though Apple states iOS is a more secure and privacy focused alternative to Android, the stats weren't much better for their platform. More than half of the top 100 free apps on the App Store engage in the same UDID and location tracking, and 26% also access users' address books.

Even when users paid for apps, the report found that data collection was still prevalent. Out of the top 100 paid Android apps, for instance, 65% still utilized UDID details, 49% collected location data and 14% accessed address books. On the iOS side, 28% used UDIDs, 24% collected location data and 8% accessed address books.

Why it Matters

Mobile app data collection exposes enterprises and users to a number of risks that are not usually considered by IT departments. For example, if a user syncs their corporate Outlook account with an unmanaged smartphone, that device and all its apps will have access to an address book that contains contact details for the user’s contacts, company’s customers and suppliers. If an app that collects that address book information is compromised, attackers could have the information necessary to send spam to those contacts, gather client’s phone details, read calendar entries, and access confidential information such as contracts or quotes sent via email.

Although most organizations outside government don’t appear concerned about apps sharing location tracking data they really should take note. Think of it this way: If a third party can discover the location of key executives, they could utilize that information to predict M&A activity. From a HR perspective it is most likely true that most employees would not want to have their after work movements tracked by an employer, no matter how innocent while, say on a business trip.

Or from a life and death perspective a U.S. soldier shared a picture on Twitter of himself arriving at an Iraqi base. The picture included location details via geo tagging and shared on the internet.  These were downloaded enemy soldiers who launched a mortar attack on the exact location the soldier landed destroying the U.S. military helicopters on the base.

Where Does Your Data Go?

Data collection by mobile apps alone is cause for concern; however the report goes on to list ad networks as the ultimate destination of the data.
Seventy one percent of the top free Android apps and 38% of the top Android paid apps share user data with ad networks.  Meanwhile 32% of the top iOS free apps and 16% of the top iOS paid apps share user data with mobile ad networks.

Users are frequently not aware of such data collection practices because the privacy policy is posted obscurely on the app developer's website.

A Phoenix-based security researcher Joe Giron found that a surprising amount of users’ data is being collected by the company’s mobile application and labels it as nothing more than malware.  Joe writes in his Security Blog 
"Christ man! Why the hell would it want access to my camera, my phone calls, my Wi-Fi neighbors, my accounts, etc?" "Why the hell is this here? What’s it sending? Why? Where? I don’t remember agreeing to allow Uber accedes to my phone calls and SMS messages"

The huge growth of mobile ad networks poses multiple risks.  According to the leaked Snowdon papers, attackers can pose as an ad network and obtain user data directly; they could compromise an ad network's software development kit and infiltrate an app, or simply target the potentially vast data collection being stored by dozens of ad networks around the world.  The user’s details are then used to initiate large scale malware and phishing attacks.

How Do We Secure Apps?

Currently there are an estimated one million BYOD connected apps in the workplace and more than 80% of those apps have access to corporate data. The same apps that make the device useful or fun could potentially cause harm to a business.  The harm could be from poor design practices or simply because the app is working exactly as it designed to work, collecting your data.

There is a workplace solution for securing Apps in the enterprise, though.  Apps can be managed with secure containerization through EMM.  Strategy Analytics recently recognized BlackBerry BES10 as the most cost effective and comprehensive EEM solution available.  BES10 can manage BlackBerry, iOS and Android devices by setting up a personal workspace and an enterprise workspace. The personal workspace can have the user’s private apps and images. But the enterprise workspace will contain all work related documents or work contacts and data collecting apps cannot access that portion of the device.  Data-collecting apps are shut out and cannot access that portion of the device.

The United Kingdom’s Centre for the Protection of National Infrastructure deploys BES to secure sensitive government data, and provides a great example of a large-scale deployment tackling the issue head-on.