The IT Security Risk of Third-Party Apps

By Christopher Kennessey, CEO, NetMotion Software

As mobile devices become more common in the workplace, IT departments need to understand and prepare for the security risks that these devices introduce. Beyond the security of the device itself (which is a significant issue in its own right), there’s a very real risk of third-party apps secretly accessing corporate data. In some cases, the app is a legitimate service gathering user data on the side for their own marketing purposes or to sell. Alternatively, many malicious apps will mimic real ones to trick users into downloading spyware and adware to steal passwords or financial information. Despite the best efforts of Apple, Google and Microsoft, data scraping remains an issue on iOS and Android devices as well as the major desktop platforms. Legitimate or not, IT needs the ability to track how third-party apps are accessing corporate data to protect their employees and keep that data secure.

The normal barriers between work and personal devices don’t always apply here. With bring your own device (BYOD) policies being so common in the workplace, employees likely download apps, play games, access their social networks and visit potentially risky websites using the same devices that they rely on to access sensitive corporate data and applications. If they become the victim of malicious apps or websites, it doesn’t matter whether they or their employer is the intended target. Once a device is compromised, everything on it is at risk of being seen or stolen.

There are several ways organizations can reduce the risk of third-party apps scraping sensitive corporate data. The first is training users to identify the telltale signs of a malicious app, email or website. Apps with strange or poorly rendered icons, suspicious imagery or inaccurate or misspelled names are all good indicators that something isn’t what it appears to be. Users should also be particularly cautious when an app asks for permission to access data that is not relevant to its task. It’s also good practice to prevent users from sideloading apps or going outside corporate-approved app stores.

Technical security controls also play a large role in protection corporate date. Organizations deploy hardware and software like firewalls and antivirus to protect their data, but employee devices are a new weak link that often resides outside the corporate network for long periods of time. In response, many of these organizations have added enterprise mobile management (EMM) or mobile threat defense (MTD) solutions that provide some measure of protection and control over what devices and their users can do. But even these solutions don’t provide real-time visibility into the behavior of devices, apps and data flow when they are connected to an external network. Like most security spending, EMM and MTD solutions are focused on protection – stopping malicious software from getting on devices. That is certainly important, but organizations also need to improve their monitoring and visibility into mobile devices to detect suspicious behavior that could indicate an infected device.

Like most things in security, this is easier said than done. A recent survey by the Enterprise Mobility Exchange found that nearly half of mobile security professionals had no idea whether their organization had been the victim of a mobile security event in the last year. More than 35% can’t tell when a device or app is sending data to unwanted server locations at all, and an additional 30% can’t do it in real-time. Even legitimate apps will often communicate with numerous servers around the world. And numerous apps and devices, either intentionally or as the result of poor design, have been shown to send data to servers in countries that lack the high standards of data security that we expect, for no discernible reason. At the end of the day, it’s impossible to tell whether a traffic pattern is potentially dangerous if you’re not paying attention.

Once an organization understands its normal mobile traffic patterns, the next step is to implement policies that automatically prevent unwanted or questionable connections. By adopting higher standards for the user and device authentication, data encryption and device control, IT and security teams have the power to ensure the integrity of an organization’s data by automatically stopping mobile devices from sending traffic through unapproved servers via unapproved connections. As always, full, standards-based encryption should be used to ensure the data remains secure in transit.

Advancements in mobility have been an enormous enabler for enterprises and their employees over the last decade in particular, but these benefits come with their own distinct set of costs and risks. In order to maintain that high level of data security both inside and outside the walls of the office, companies need to do a much better job of managing how apps, users and devices interact with their data. The most effective approach is to employ a mixture of embedded software that can provide real-time, actionable information about devices operating on third-party networks, enforce automated policies that restrict dangerous activity and train users to become the front line of defense by recognizing threats from the outset.

About the Author

Christopher Kennessey is the CEO of NetMotion Software. Christopher has nearly two decades of cloud, data center, and mobile networking industry experience, including ten years leading sales and operations for Cisco’s Intelligent Automation business unit. He holds a bachelor’s degree from the University of Illinois Champaign-Urbana, with additional courses at Harvard University and Complutense University Madrid. Christopher can be reached via our company website https://www.netmotionsoftware.com/