Tip

Mobile application security issues and threat vectors in enterprises

As mobile application security threats take on serious proportions, we explore the issues and risks involved for users and enterprises.

According to a recent study, 70% of malware threats to the network come from mobile applications. Couple this with an IDC statistic which expects mobile application downloads to cross 182.7 billion by 2015 as against 10.7 billion in 2010, and you get a very scary picture.

The need for close scrutiny around mobile application security in the enterprise is a must. Today, 30% of applications obtain device location without explicit user consent. 14.7% of applications request permissions to initiate phone calls without user knowledge. Another 6% request access to all accounts on a device; 4.8% can send SMSs without user involvement or knowledge. This is one side of the coin. Research reports inform that up to 50% users on the other hand may not have any mobile app security software installed on their device.

Today’s mobile app threats scenario

As trends like bring your own device (BYOD) takes big strides in the Indian enterprises, it’s essential to make users aware of issues around mobile applications. Some of these are:

  1. Mobile pick-pocketing: Malware and apps indulge in petty financial fraud such as the generation of premium SMSs and premium phone-calls without user intervention or approval.
  2. Stealing of personal information: Theft of information like contacts, SMSs and media files is widespread, especially on open platforms. A huge market exists for such databases.
  3. Spyware: Smartphones have features like cameras, microphones and GPS tracking. Several apps allow these features to be activated remotely without the user’s knowledge.
  4. Identity theft: This involves spoofing a phone’s parameters and details. With phones being used as a factor for authentication, this can have serious repercussions. India has already seen such cases.                          
  5. Mobile botnets / relays: Smartphones with powerful 2G/3G/4G connections can be used as nodes and relays in a botnet. These can be used to generate spam or launch distributed denial of service (DDoS) attacks.
  6. Corporate espionage: With BYOD’s advent, phones carry sensitive corporate information. Leakage of such data makes it the biggest threat to enterprises.
  7. Access to app data and app user data: Attention needs to be given to how applications use and store data. Securing this information is essential to your privacy.

Mobile app attack vectors

Rogue developers are keeping pace with newer mobile application security measures, churning out new and innovative malware and attack channels. The following attack vectors are pertinent from a mobile application security perspective.

  1. Jailbroken/rooted devices: Bypassing OS control gives unrestricted access to all aspects and features on the device. This is a double-edged sword. Users should be aware that the process of Jailbreaking, along with websites that offer this service provide easy conduits to plant malware on phones with sensitive data.
  2. App repackaging: This is a significant problem in the Android space. Rogue developers repackage legitimate apps with malware. When unsuspecting consumers install and activate these apps, the embedded malware can initiate activities to send out premium SMSes, uninstall antivirus solutions and access sensitive content.
    Users may still get the functionality of the original app and be unaware of the background malicious activity. Use legitimate, platform-supported application stores, check publisher details and review user feedback on the app’s current version before downloading.
  3. Drive-by downloads: This is a recent development in the mobile space, where accessing infected sites results in malicious apps being installed without user knowledge. Often, these sites are safe for regular browsers, but automatic download and installation of an application can be triggered while using smartphone browsers. Android provides controls to prevent automated downloads.
  4. Apps from untrusted sources: It doesn’t get worse than downloading and installing and untrusted/unsigned repackaged app from non-regulated app marketplaces. It is incumbent upon enterprises to discourage this practice. Approved application stores are the best source of legitimate apps. Users take grave risks in installing apps whose provenance is unknown, via SD cards, third-party application stores or even as email attachments. The threats posed by these applications, ranging from minor inconvenience to major financial fraud.
  5. Operating system/device vulnerabilities: OS/device firmware vulnerabilities are often exploited by rogue developers while compromising devices. To avoid such threats, use updated antivirus packages and ensure that devices are updated with all relevant OS and firmware updates.
  6. App vulnerabilities: Secure application development for mobile platforms is still immature. Insecure coding can lead to apps acting as a conduit through which malware and attackers gain control of your device. The best protection is to install a good security solution. Reputed developers ensure that their apps undergo multiple levels of testing before release to minimize chances of compromise. Review publicly-available ratings and feedback on apps before installation.

To sum up

Given the broad range of attack options available to the malware-coder, the precautions summarized above can go a long way to secure your mobile app experience. Users may be familiar with these security mechanisms in the traditional computing environment, but they should extend the same to their mobile devices. Finally, remember the cardinal rule in security; if it sounds too good to be true, it most likely is!

This tip is based on a talk by Ram Venkatraman, the security practice head at Mahindra Satyam as part of the DSCI best practices summit held in Bengaluru in July 2012.

About the author: Ram Venkatraman heads Mahindra Satyam's Security Practice, which provides information security solutions to enterprises globally. His group works with customers to build security for enterprise and mobile applications, configure identity & access management solutions, and provides security monitoring services for enterprises.

Read more on Web application security