By Kim Lindros
When it comes to mobile security, agencies often think in terms of the device or network — and overlook the risks associated with mobile apps. This is especially true when agencies permit employees to use their own devices.
One of the major problems with apps is data leakage. This can occur when an app stores personally identifiable information, or PII, in an unprotected area on the device, making it available to other apps. PII can be a user’s name, account number or even GPS location. Leakage also occurs if the information is readable in a file while being transmitted.
Data leakage risk often stems from the app developer. They typically don’t build apps with government security policies in mind — or they don’t know how to comply with relevant regulations.
Some apps will try to access data that isn’t not necessary for what they do. For example, a simple flashlight app might try to access your microphone, your camera and even your cloud services.
Not all app risks rise to the level of malware, but they still present challenges for security officers who are responsible for safeguarding their agency.
So what is app risk, exactly? It’s made up of three main components.
- App threats. These are typically attacks or malicious apps that steal information, damage devices or give unauthorized access to remote users or systems.
- App vulnerabilities. These are flaws or weaknesses in the app itself that can be exploited.
- App behaviors and configurations. As mentioned, mobile apps have the potential to leak data, such as contact records, emails and financial data.
There are two important tools that can help you manage mobile security.
One is a mobile risk matrix.
A risk matrix provides a framework for mapping the components and vectors that make up your spectrum of risk. That includes apps, devices, content, networks and the web. It also provides a data-driven approach to assessing the likelihood and impact of mobile threats and vulnerabilities.
Armed with that knowledge, security personnel can step up protections against known threats and enact policies against app behaviors that create compliance problems.
Let’s use data leakage as an example. The matrix can show the percentage of apps that access a device’s contacts. When you know the risk of your apps, you can more accurately prioritize responses to meet compliance requirements.
The second tool is an app security assessment.
The idea is to review all dimensions of app risk — including code construction, permissions, behavior, malware, network traffic and vulnerabilities.
But you don’t want to conduct that assessment in a vacuum. Instead, you want to put those risks in context by tapping into intelligence from industry at large. That will give you insights into complex, often hidden vulnerabilities, including:
- Access to sensitive data
- Data exfiltration
- Insecure data handling,
- Use of cloud services, and more.
Finally, another effective way to reduce mobile enterprise risk is to offer employees security awareness training and share tips for the safe use of mobile devices and apps.
Because apps are simple to install and manage, we assume security is part of that easy-button package. But that’s not always the case.
And even if an app does include security measures, users might wiggle around them if they find them too onerous or constricting. Your employees need to have a basic understanding of the threat landscape as well as the related security policies.
In today’s hybrid work environment, mobile devices are more important than ever. As you set up mobile security, don’t overlook the risks associated with mobile apps.