Data Leaks and Apps

A growing threat.

NowSecure discovered that nearly 25% of all mobile applications have some sort of serious security flaw putting at risk any business connected to the Internet of Things (IoT). Cybercriminals are not only using ransomware on internet connected devices including dedicated servers, office computers and mobile devices but are doing this via such applications that are discovered to have major security flaws or what are also sometimes referred to as “leaky applications”. Vulnerability scanning software needs to be put in place on all devices to help spot security issues and must be running on a frequent basis.

With so many different pieces of technology connected together as well as to the internet, there are several points of entry into a business’ sensitive data resulting in a more complicated security environment. Not only are users and employees required to be informed on proper security standards but all devices need to be hardened and protected 24/7. Compromised mobile devices do not necessarily end with that device alone but can be used as a starting point for cybercriminals to engage in additional  damaging activities to a firm’s security.

Many free applications are a simple and sure way for hackers to gain access to supposedly secured systems starting with at least the mobile device itself and possible going from there to other connected devices.

In the 2016 Mobile Security Report by NowSecure, they analyzed over 400,000 applications available on the Google Play online store and discovered some alarming and worrying facts. 87% of the time users spend on a mobile device is used on just apps. Of those apps, nearly 25% had a high risk security flaw. Not all apps may technically be considered as having a security flaw but apps transmitting sensitive data may be considered a security risk for an organization. Knowing what data is being leaked, how and why is an important issue to consider for any business. Also, not all organizations have implemented strong security protocols when it comes to bringing a BYOD into the workplace. Half of all apps on mobile devices transmit some form of data to somewhere.

One of the hardest issues to deal with is once an issue is discovered is how to then discover where an attack is coming from and what data has been at risk.

A constant evolving IoT makes this issue more difficult especially so with BYOD in the workplace where users have games installed on their devices. NowSecure estimates that out of all the apps available, games are 1.5 times more likely to have a high risk vulnerability. This again can also lead to ransomeware as a user is locked out of his mobile device and/or the cybercriminal has access to other systems via that mobile device preventing access. Ransomware does not only involve large organizations able to pay large sums of money. All business from SMB’s to a business run by an individual can be a target of these attacks too.

The days of ransomware being executed via email attachments and random download files are not as effective as employees are more skilled at spotting these attempts. Apps have become a more poplar tool to use in order to cary out cybercriminal activity.

A recent survey sponsored by Tenable within the LinkedIn Information Security Community revealed that just over 70% of respondents have BYOD’s in the workplace. These same devices are accessing several SaaS applications as well as the most popular being email, calendars and contact management information. Alarmingly, 39% of these respondents revealed that malware had been downloaded onto their mobile devices which again is pointing to the fact that cybercriminals are targeting these devices more frequently. (HummingBad was notoriously bad malware that would install malicious apps.) Many other sources are also revealing the popularity of BYOD at the workplace.

21% of respondents in the same Tenable survey revealed experiencing a security breach through BYOD or mobile devices. Outdated smartphone Operating Systems on older phones are also a security risk, especially if security updates have not been installed on these insecure phones.

What becomes especially difficult is if cybercriminals learn standard behavior and patterns within a company, they can emulate those patterns and for example pretend to be a colleague (or friend) “forwarding” a message asking if they can perhaps open an attachment for them as they are having difficulty. This may also involve a snazzy new email app that was available as a free download that is able to open anything or an app that is a file viewer from an unknown publisher etc. A synchronized location located on a dedicated server for example can end up infecting several devices at once this way too if several employees are also connected.

A good resource and starting point for determining a firm’s security state is with Rapid7.com which has free security tools to scan for issues and determine if there are any vulnerabilities with their vulnerability management and penetration testing tools.

One of the strongest defenses any firm can have is if they are willing and able to adapt to evolving technologies to improve their security defenses. IoT security is never at a standstill and always evolving. Application Security (AppSec) should play a strong part in cyber security especially since mobile devices are gaining in popularity and in many cases even replacing large stationary computers.

Need a contract-free smartphone solution?