2,400 unsafe mobile apps found in average large enterprise

The average global enterprise has approximately 2,400 unsafe applications installed in its mobile environment, according to Veracode.

Based on an analysis of hundreds of thousands of mobile applications installed in actual corporate environments – across various industries including financial services, media, manufacturing and telecommunications – Veracode found 14,000 unsafe applications of which:

• 85 percent expose sensitive device data, including SIM card information such as phone location, call history, phone contacts, SMS message logs, device IDs and carrier information.
• 37 percent perform suspicious security actions, such as checking to see if the device is rooted or jailbroken (which allows applications to perform superuser actions such as recording conversations, disabling anti-malware, replacing firmware or viewing cached credentials such as banking passwords); installing or uninstalling applications; recording phone calls; or running other programs.
• 35 percent retrieve or share personal information about the user such as browser history and calendars, often sending sensitive information to suspicious overseas locations and allowing attackers to develop a complete profile of users and their social connections.

Phil Neray, VP of Enterprise Security Strategy at Veracode, told Help Net Security: “The findings demonstrate that enterprises typically have lots of unsafe applications installed on their employees’ devices. For example, an application is deemed “unsafe” if it has access to SIM card data such as geo-location, call history, SMS message logs and device IDs, or if it sends sensitive information to suspicious overseas locations for no apparent reason.”

“There are many ways in which cyberattackers can leverage risky apps. For example, they can be used to spy on employees with access to confidential information — by tracking the employee’s location, recording their phone calls and developing a profile of their social connections — in order to steal corporate intellectual property or profit from trading on insider information. They can also be used to steal banking credentials or insert aggressive adware. And nation-states can use them to track high-profile individuals,” Neray added.

According to Gartner, “Through 2015, more than 75 percent of mobile applications will fail basic security tests.” At the same time, cybercriminals and nation-states are constantly looking to exploit insecure applications in order to steal corporate intellectual property, track high-profile individuals or insert aggressive adware for monetary gain.

This creates a challenge for enterprises that want to increase productivity and employee satisfaction by providing BYOD programs or corporate-owned devices. Modern MDM and enterprise mobility management (EMM) systems are designed to enforce corporate policies on managed devices, but need an automated and scalable mechanism for maintaining up-to-date information about thousands of unsafe apps that are constantly being added to public app stores around the world.

Existing approaches for addressing unsafe mobile apps, such as manually-curated blacklists, are difficult to scale because of the sheer size and constantly-changing nature of the problem. As a result, they either fail to keep up with mobile threats or frustrate employees by prohibiting apps for no reason.