High-profile cyber attacks, like Russian interference in the 2016 election, are grabbing the headlines, but corporations should be more concerned with a security risk closer to home. Corporate data is leaking out via insecure mobile apps, and many corporations don’t even know it. In fact, the potential for exfiltration of your data via mobile apps is emerging as the biggest blindspot in corporate security efforts.
Mobile apps often collect a large amount of data that isn’t necessary for the app’s use, such as specifics about the device and the user’s physical location. The problem is that apps often offload the processing of this data to the cloud. And when your data goes to the cloud, any miscreant who knows where to look can potentially gain access to your valuable corporate information.
A recently discovered vulnerability, dubbed HospitalGown, illustrates the risk when mobile apps send enterprise data to unsecured backend databases. A new research report documented more than 1,000 enterprise apps with this backend vulnerability, exposing an estimated 280 million records. These records were accessible as a result of weakly secured databases that did not require authentication of any kind to access the data.
This means that corporate data is sitting unencrypted in publicly available databases that don’t require so much as a password to access them. In other words, your data is out there for the taking, which is why there have been an increasing number of reports over the past few months of content being stolen from data stores and held for ransom.
The particularly scary aspect of vulnerabilities like HospitalGown is that no amount of on-device security can protect against those applications that store sensitive data in a lax manner. HospitalGown in particular poses a direct risk to enterprises, opening them up to an easy breach, exfiltration of sensitive data, and the ensuing costs of remediation, lawsuits, compliance infractions, and loss of brand trust.
The onus is now on app developers to use secure APIs when interfacing with backend servers and protect data in transit with encryption. Meanwhile, on that backend, the servers should either be firewalled from public internet access or at least protected behind a secure API.
Of course, the onus is also on corporations to do a better job of securing sensitive data. Here are some mobile app best practices that every company should adopt:
1. Educate employees about the risks of the apps they download. Employees have a direct impact on the overall security posture of the organization they work for because they’re the ones deciding which apps to install and why. So, it’s in IT’s best interest to educate these users by arming them with tools and training to make better decisions about the apps they download. You have two options: allow your employees to be part of the problem or empower them to be part of the solution.
2. Create and enforce a policy for managing mobile use. Most organizations already have policies for other platforms, such as the management of firewalls and the sharing of data with partners. It’s just as important to create a security policy for mobile. You need visibility into what apps your employees are using and what those apps are really doing. And you need to be proactive. If there is a particular file-sharing app you don’t want employees to use, you should offer an alternative app that they can use. Otherwise employees will go on using the original app.
3. Make sure to vet apps you recommend to employees. Be mindful of the apps that your company chooses to share or recommend to employees, including those that employees bring into the organization. Maybe you’re recommending that everyone use a particular CRM app or collaboration app without properly vetting it first and ensuring its safety. If there are vulnerabilities in that app, such as HopitalGown, there are then vulnerabilities on the device of every employee using that app. That puts your organization at extreme risk. This is especially important as new compliance standards and regulations, such as the General Data Protection Regulation, go into effect. Under the GDPR rules, not only will the app developer be liable for fines but so will each enterprise that pushed that app to its employees. How big are the fines? GDPR calls for up to 4 percent of a company’s revenue. That’s big.
4. Only download apps from authorized app stores. Every app in the Google Play and Apple (News - Alert) App stores is reviewed before it’s put on the shelf. But the same cannot be said about third-party app stores. Most do not regulate security and cannot ensure a user’s privacy and safety. But even then, the reviews that Apple and Google (News - Alert) conduct are not stringent enough for most enterprises, so it’s important to go further and deploy a mobile threat protection solution.
5. Delete apps that you no longer use. Apps become risky to your privacy and corporate data when they’re not updated with security patches and other upgrades, which you’re less likely to do if you’re not using them. Either delete or update apps that you haven’t used in three months or longer.
6. Every time a new app is downloaded, check the permissions. Does the app ask for your location? How about access to your camera or phone? Does the app really need that access to do its job? Does tracking occur all the time or only when the app is in use? Update your permissions and delete apps that require information unrelated to the app’s function. Adjust your settings for apps where permission makes sense at certain times.
Mobile apps are quickly emerging as the most glaring blindspot at corporate security departments. As your organization grows more mobile, you must more actively defend against these mobile threats. You should institute mobile security policies and encourage sound security habits to protect your organization from an embarrassing and costly breach.
About the Author: Domingo Guerra is founder and president of Appthority (www.appthority.com).