By the time workers returned to the office in January, a bumper crop of newly installed mobile apps may have gained extensive access to business data and services. What can you do to stop them? Let's consider "app-store" security implications and steps that employers can take to manage associated business risk.
Mobile device control: Enterprise control vs. personal use
RIM dominates the enterprise mobile market thanks to the tight control that employers can assert over BlackBerry smartphones. BlackBerry Enterprise Servers push employer-defined policies over the air to BlackBerrys at activation time. BlackBerry application policies are then used to install custom and third-party apps and control the resources that each can access. For example, policies can prevent apps from using phone or email services
or accessing PIM data stored on the device. BlackBerry IT policies can also be set to block third-party app downloads altogether.
Robust centralized controls like these can be a very effective way to prevent workers from infecting business smartphones with bandwidth-sapping, time-wasting, buggy or malicious non-business apps. However, given the popularity of downloadable apps and increasingly decentralized purchasing, this fully managed-device approach may not be a viable way to safeguard every smartphone.
A recent Aberdeen Group study found that, in September 2008, employers purchased 65% of phones. Just one year later, that percentage had dropped to 42%. Meanwhile, phones purchased by employees from carriers of their own choosing doubled to 40%. These "employee-liable" devices are used for business extensively but not exclusively. Workers may be reimbursed for business use and may receive some IT support, but they also expect to use their own smartphones for personal calls, texting, messaging and -- yes -- mobile entertainment.
Download at your own risk
Consumer-oriented mobile apps have played a huge role in fostering smartphone market growth. From iTunes App Store and Android Marketplace to BlackBerry App World and Windows Marketplace for Mobile, smartphone users can now easily find and download tens of thousands of mobile apps -- many of them free.
Unfortunately, the origin and integrity of third-party apps can be suspect. As evidence, consider several hundred malware apps developed for Symbian since June 2004. Mobile worms and Trojans like Cabir, Sabir, Commwarrior, Skulls, Pbstealer, and Bezelo targeted Symbian Series 60 smartphones because (a) those phones were popular and largely unprotected, and (b) their users were vulnerable to social engineering. Most tricked users into downloading apps and/or clicking on risky links -- for example, Pbstealer posed as a utility; Bezelo masqueraded as .JPG or .MP3 files.
Fortunately, this early mobile malware did not spread very far or cause extensive damage. Contemporary devices offer better OS-level defenses against mobile malware -- for example, by checking app digital signatures, limiting app access to system resources, and better isolating apps from one another. However, the threat of mobile malware has not evaporated. If anything, risks are rising because of smartphone population growth, always-on connectivity, and increased access to business data and services.
One recent illustration: Last month, a pair of worms began to exploit third-party SSH utilities installed on jail-broken iPhones. The first simply changed the infected iPhone's wallpaper to a photo of singer Rick Astley. Days later, a second worm began to steal infected iPhone contacts, appointments, messages, photos, and music/video files. These worms took advantage of jail-broken iPhones that can bypass iTunes to install third-party apps not approved by Apple.
Forewarned is forearmed
Being prepared is half the battle. If your IT department cannot exert full control over smartphones and the apps they run, acknowledge that users are at least going to try to download a few personal mobile apps. (Even users who are techno-phobic probably have teenage children who will helpfully show them the ropes.)
Educate your workers about "app store best practices." Identify download sites that scrutinize published apps (e.g., iTunes) and those that don't. Explain the importance of checking digital signatures before installing apps and why users should not ignore signature warnings or follow developer suggestions to disable validation. A signature does not imply that the developer has passed any "security tests" -- but developers who aren't willing to sign their apps are suspect, and malware posing as another developer's legitimate app can often be detected this way.
Although less reliable, it can also be helpful to read user reviews before downloading apps, particularly from unknown developers. Even non-malicious apps can gobble bandwidth, and buggy apps can destroy data, lock up the phone, or require a factory-reset to eliminate. There's no substitute for exercising caution and common sense. Finally, readily available mobile antivirus programs can periodically scan smartphones for suspicious or known-malicious apps.
Asserting IT control over employee-liable devices
User education is an essential first step, but most employers should take more formal, reliable steps to manage business risks posed by personal mobile apps. Companies that cannot manage employee-owned smartphones can still exert some degree of control over business apps and data.
One common approach is to deliver very limited business service and data access to unmanaged smartphones. For cloud-based apps, users can interact with business services through browser or widget interfaces, thereby avoiding enterprise network or server connections or storing business data on the smartphone itself. Here, it's also important to clean up any screen images, temp files, cached passwords, or corrective text that might otherwise be left on the phone when the browser/widget exits.
Another increasingly popular approach is to create a secure sandbox environment on mixed-use smartphones. Solutions like Good for Enterprise and Sybase iAnywhere Mobile Office can provide a safe execution environment for business email, calendar and contacts, protected by IT-specified policies for authentication, encryption, data wipe, and so on. Although IT installs and manages these mobile business apps, the rest of the smartphone still belongs to the end user. If a malicious app is installed, it shouldn't have access to business data or logins and won't be able to exploit business network connections.
These are just two of many ways to assert partial IT control over smartphones that (for whatever reason) cannot be fully managed. Companies that do manage trusted smartphones can also apply measures like whitelists and blacklists to block known bad apps. It would be a Herculean task to vet all available apps, however. Instead, focus on business data and services to look for ways to effectively protect them from any buggy or malicious third-party apps.
This was first published in January 2010