The first rule of managing a BYOD environment is to set good policies governing who can do what activities and access which data. But if you don't know what apps really do -- like harvesting a smartphone user's contact list -- you can't build effective policies. Appthority helps you manage the risk from mobile applications by analyzing what apps are actually capable of doing.
Surveys show that 3 out of 4 organizations allow BYOD (bring your own device) in the enterprise. Because of the rapid growth of the BYOD phenomenon, businesses struggle to understand their risk exposure from mobility. IT is in the uncomfortable position of playing catch-up to ensure that security isn't sacrificed in the name of employee productivity.
At first it was thought that malware posed the greatest risk to smart devices. This line of thinking was derived from our collective experience with PC operations, where malware, along with unintentional software vulnerabilities, poses one of the greatest risks to security. Malware on mobile devices is a problem, but today it doesn't even approach the magnitude of security and privacy issues that are intentionally built into well over 80% of the iOS and Android apps on the market. [See "How mobile apps can take whatever data they want from a smartphone."]
Appthority is in the business of mobile app risk management. The company has analyzed close to 1 million unique apps across the iOS and Android platforms to determine what these apps are capable of doing, and the results may surprise (or even alarm) you.
[ IN PICTURES: 9 iPhone-iPad Apps That Invade Your Privacy, and 1 That Doesn't ]
Appthority performs deep security analyses of mobile applications. The company has a cloud-based system where it virtualizes the devices that run these apps. Appthority runs each app with both static analysis and dynamic analysis to determine what the app can do beyond its advertised main function (e.g., gaming, news services, productivity, etc.). Appthority analyzes an app to uncover, for example, what other apps it can communicate with; what backend systems, URLs or websites the app accesses; what permissions the app requests versus what permissions the app actually uses (because there's often a mismatch there); what behaviors the app exhibits; and how the app is managing sensitive data, including whether or not it is using encryption.
Using this information, Appthority has built an extensive library of app reputations. This information is essential to enterprises that are trying to develop policy and manage mobile security, says Domingo Guerra, president and co-founder of Appthority. "If you don't really know what apps do, you can't build effective policy regarding their use," says Guerra. "There are lots of technologies on the market that are policy enforcers, but they only enforce what you tell them to do." Appthority provides the information that helps enterprises determine what policies they want to set pertaining to various mobile apps.
There are lots of risky behaviors inherent in mobile apps. Appthority puts these behaviors into four categories:
- Accessing the user contacts on a smartphone (including the contact information that may come from corporate email that syncs to the phone)
- Accessing the user's calendar information
- Collecting or determining the user's location and tracking his movements
- Passing along any or all of this information to ad networks or analytics companies
In the app reputation report released in July 2012, Appthority reported that 96% of iOS and 84% of Android apps can access at least one of these data risk categories. What's more, apps intended for business use don't behave much better than gaming apps.
Enterprise organizations can benefit from Appthority's app analyses in several ways. Organizations that already use a mobile device management (MDM) or mobile app management (MAM) solution can incorporate Appthority's app reputation information to help formulate policy of who can access what apps, and when. The idea is that app security shouldn't use a one-size-fits-all approach. An app that may be acceptable for one company or job role may not be safe for another company or role.
Appthority also helps developers in the enterprise and outside the enterprise build safer apps and distribute them through enterprise app stores. It's rare that an app is built 100% by one developer. Oftentimes developers use a third party SDK to track users, provide comments, link to Facebook, or provide analytics or some other functionality. Appthority helps developers by looking for issues in third party code they might be using.
To secure corporate content, networks and data, an enterprise really has to focus on risk management over that data, and what can access that data. It's not the device but the apps that access the data -- managing it, transmitting it, and sometimes repackaging it, encrypting or not encrypting it. The enterprise should learn as much as it can about these apps so in order to build good mobile policies.
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.