Freedom? Security? The jury is still out on the question of which, if either, takes priority. Meanwhile, businesses are forging ahead with “bring your own device” (BYOD) and “bring your own app” (BYOA) policies.
Cost reduction is one goal, but so are flexibility and choice for employees, letting them work the way they want to, and bringing businesses the benefit of increased productivity. Freedom gets everyone’s vote. However, employees and enterprises do not necessarily have the same perspective on mobile apps and security.
Business logic says “you get what you pay for”, meaning that if you want security, get your wallet out. Consumer logic on the other hand is fashioned by free offers which are often accepted without second thoughts, including free mobile apps. Naturally enough, individual employees may take a consumer point of view, or be reluctant to use their own money to pay for apps, preferring free versions. The problem is in the behavior of unchecked free apps that then coexist with enterprise data in an employee’s device.
Data from app analysis has shown that free apps generally ask for more user permissions in a mobile device than do paying apps. Not only that, but some of the permission requests have little or nothing to do with what the free app is supposed to do. These excessive permissions include location tracking, access to address books, autonomously sending text messages and making phone calls, and accessing the mobile device’s camera.
Some of these anomalies are more obvious than others. For example, some mobile flashlight apps communicate over the Internet to remote servers – but what possible justification could they have for doing so? Other apps are more cunning. They may blindside users to inappropriate permissions by using well-known business logos like those of Microsoft Office (Word and Excel, for instance) to suggest to users that the software is sanctioned by a reputable vendor.
Once installed, a malicious app might use permissions to make calls and access the camera for audio and video eavesdropping, or send SMSs to exfiltrate confidential data. The breach of one business file can be enough to cause severe loss or damage: for instance, financial loss if attackers use the file to siphon off money from company accounts or reputational damage if confidential enterprise data is made public on the Internet.
End-user education is paramount, starting with the fact that the availability of an app via Google Play or Apple’s App Store is no guarantee of its safety. Cyber criminals are continually searching for new ways of getting around the security of both app download sites, and know how to fake testimonials to trick new users into believing apps have been declared by others to be problem-free. End-users in your enterprise should be told what to look for in terms of excessive or suspicious levels of permissions.
In addition, make a list of approved apps for your end-users and ask them to submit any other apps to you for verification before starting to use them. Checking apps for approval can be done rapidly and effectively using AppInterrogator for a fast “In or Out” decision, and using AppVisualizer to identify threats from links from the app to bad actors via shared code or connections to their sites. These checks can help your end-users and your enterprise strike the right balance between free and secure, so that any free mobile apps help your business rather than harming it.