Skip Links

At least 80% of mobile apps have security and privacy issues that put enterprises at risk

IT Best Practices Alert By Linda Musthaler, Network World
February 01, 2013 03:27 PM ET
Linda Musthaler
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

Network World - Surveys show that 3 out of 4 organizations allow BYOD (bring your own device) in the enterprise. Because of the rapid growth of the BYOD phenomenon, businesses struggle to understand their risk exposure from mobility. IT is in the uncomfortable position of playing catch-up to ensure that security isn't sacrificed in the name of employee productivity.

At first it was thought that malware posed the greatest risk to smart devices. This line of thinking was derived from our collective experience with PC operations, where malware, along with unintentional software vulnerabilities, poses one of the greatest risks to security. Malware on mobile devices is a problem, but today it doesn't even approach the magnitude of security and privacy issues that are intentionally built into well over 80% of the iOS and Android apps on the market. [See "How mobile apps can take whatever data they want from a smartphone."]

Appthority is in the business of mobile app risk management. The company has analyzed close to 1 million unique apps across the iOS and Android platforms to determine what these apps are capable of doing, and the results may surprise (or even alarm) you.

[ IN PICTURES: 9 iPhone-iPad Apps That Invade Your Privacy, and 1 That Doesn't ]

Appthority performs deep security analyses of mobile applications. The company has a cloud-based system where it virtualizes the devices that run these apps. Appthority runs each app with both static analysis and dynamic analysis to determine what the app can do beyond its advertised main function (e.g., gaming, news services, productivity, etc.). Appthority analyzes an app to uncover, for example, what other apps it can communicate with; what backend systems, URLs or websites the app accesses; what permissions the app requests versus what permissions the app actually uses (because there's often a mismatch there); what behaviors the app exhibits; and how the app is managing sensitive data, including whether or not it is using encryption.

Using this information, Appthority has built an extensive library of app reputations. This information is essential to enterprises that are trying to develop policy and manage mobile security, says Domingo Guerra, president and co-founder of Appthority. "If you don't really know what apps do, you can't build effective policy regarding their use," says Guerra. "There are lots of technologies on the market that are policy enforcers, but they only enforce what you tell them to do." Appthority provides the information that helps enterprises determine what policies they want to set pertaining to various mobile apps.

There are lots of risky behaviors inherent in mobile apps. Appthority puts these behaviors into four categories:

  • Accessing the user contacts on a smartphone (including the contact information that may come from corporate email that syncs to the phone)
  • Accessing the user's calendar information
  • Collecting or determining the user's location and tracking his movements
  • Passing along any or all of this information to ad networks or analytics companies

In the app reputation report released in July 2012, Appthority reported that 96% of iOS and 84% of Android apps can access at least one of these data risk categories. What's more, apps intended for business use don't behave much better than gaming apps.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News