Mobile security continues to be a challenging frontier for enterprises, many of which have only recently adopted bring-your-own-device policies and are still in the process of overhauling their infrastructure, policies and network security tools accordingly. Part of the difficulty comes with new end-user expectations:
- Access to email alone isn't enough. Stakeholders also expect ways to use Microsoft Windows virtual desktops, mobile apps and cloud-based tools.
- Company apps don't have all the prime screen real estate to themselves. Devices are often employee-owned, meaning that consumer apps are used side by side with ones that may access core enterprise data.
- Common utilities like VPN were built for an era before mobile. They now require new designs that support safe usage from devices like phones and tablets.
At the same time, the novelty of the mobile device ecosystem – as well as the emerging wearable space, which kicked into new gear with the introduction of Apple Watch in April 2015 – would seem to make it an inviting target for cyber attacks. The reality is a bit more mixed, though. A recent report from Verizon found that mobile was usually a low priority target, but only because many more lucrative alternatives (e.g., magnetic strip cards and vulnerabilities in open source software) are still open.
That means that mobile is a relatively low-volume channel in terms of successful attacks, yet ripe for more attention as it becomes increasingly central to enterprise IT. One interesting area to keep an eye on here is how mobile could potentially raise the risk of a targeted attack.
Targeted attacks and mobile: What's the connection?
A 2015 survey conducted by Decisive Analytics and commissioned by CUPP Computing discovered that preventing or mitigating the effects of targeted attacks was the top priority for more than two-thirds of IT decision-makers. Mobile represents one possible entry point for advanced persistent threats and other types of targeted attacks, a point the survey takers and coordinators both seemed aware of.
"Obviously, there has been a huge increase in targeted attacks and data breaches worldwide," said CUPP CEO Art Swift. "With widespread adoption of the BYOD philosophy, allowing employees to use their own devices to interact with enterprise computing environments, mobile devices are becoming an attractive target for sophisticated attackers. Our enterprise customers are looking for the next level of protection for their sensitive corporate and customer data. They also need to protect their reputations and ensure regulatory compliance."
How could a mobile device facilitate an APT? Remember what we talked about earlier with consumer and business apps mixing on a device. It's possible that a mobile user could let his or her guard down and become susceptible to a phishing attack via an email or a social media lure. The risk would be significantly heightened if the phone or tablet in question were running Android, the most widely installed mobile operating system. More than 95 percent of mobile malware is targeted at the open source platform overseen by Google, according to one cybersecurity firm's research.
Android's fragmentation – the term that refers to the proliferation of disparate versions across devices due to competing contributions and priorities from Google, carriers and handset makers – has sometimes been highlighted as a specific soft spot in the mobile OS. Another overarching vulnerability in Android as well as other platforms like iOS is the ongoing use of "zombie apps" in BYOD environments.
What is a zombie app and how can it cause trouble for BYOD?
A zombie app is not a popular title like the game "Plants vs. Zombies 2," but the complete opposite, in fact – an app that has essentially been abandoned and now serves as a liability on its platform. Just as Windows XP and Windows Server 2003 have become problematic for enterprise IT due to their age (and, in the case of XP, the lack of mainstream official support from Microsoft), mobile zombie apps are becoming a problem for organizations with BYOD policies.
A 2015 report from Appthority looked at around 3 million apps installed on employee BYOD-enabled devices running either Android or iOS. Its coordinators discovered that 5.2 percent of iOS apps and 3.9 percent of Android apps were "zombies," meaning that they weren't even available for sale or download in their respective app stores and no longer supported.
A few possible issues are worth considering when dealing with zombie apps:
- They might have been originally pulled from the Apple App Store or the Google Play Store due to flaws that went too far in compromising user privacy or enabling malware delivery.
- Since they are no longer being updated, it's possible that their update mechanisms could be hijacked by a third-party, perhaps through an unofficial app store in the case of Android.
- As unsupported software, their flaws won't be fixed and could potentially be exploited down the line, similar to how mission-critical legacy Windows apps are often vulnerable to flaws that they share with later versions of the OS that actually get patched.
More so than mobile malware, zombie apps represent a major current risk to enterprise security, since their presence doesn't require any elaborate infiltration scheme or missteps. Simply leaving the apps on BYOD-enabled devices, instead of uninstalling them, can lead to issues.
Zombie apps aren't updated because their developers have either gone out of business, moved on to other projects and/or pulled the software from app stores. Apps that are still "alive" are not always updated by their users, though. This used to be a bigger issue in the days before iOS and stock Android switched to automatic updates by default, but it's still widespread enough to be a cause for concern.
The Appthority report revealed that roughly one-third of Android apps and a slightly higher percentage of iOS ones installed on BYOD-enabled devices were not updated to the most recent versions. Employees may be unaware of the risks created by failing to update apps as soon as a new release becomes available.
"New versions are important because it's how developers push security updates and app fixes," Appthority president Domingo Guerra told CSO Online.
Better training may be part of the solution to this problem. Enterprise CIOs and their teams can also look at advanced network security tools for keeping tabs on traffic and enforcing policies across all IT infrastructure. Mobile devices are set to become increasingly important to how enterprise employees access company apps and data, meaning that liabilities like zombie apps and targeted attacks (via mobile email or others apps) have to be addressed through a combination of technical and procedural measures.
A Trend Micro TrendLabs Security Primer outlined a few general risks to keep tabs on with regard to BYOD devices, including:
- Jailbroken iPhones
- Devices with malware preinstalled
- Vulnerabilities in how certain files or plugins work
- Trojanized apps that can hijack a device
- Links delivered via SMS, social or email
- Third-party app stores
Enterprises must have ways to prevent the entry of mobile malware and other attacks into their networks, as well as tools that can deal with an infection already inside the network. These mobile security solutions help mitigate the risks of the consumerization of IT.