Mobile workers bring IT security threats into the enterprise from unlikely places, including applications presumed safe.
SearchConsumerization recently spoke to Mike Raggo, security evangelist with enterprise mobility management vendor MobileIron, about some developments around mobile securityand items for which IT should be concerned and vigilant. Here are three questions and answers from that discussion.
What do you think is one of the biggest threats around mobile security that maybe isn't being talked about?
Mike Raggo: One of the biggest threats isn’t just malicious apps, but risky apps -- apps that you and I download every day. Many of them have risky behaviors. … [Appthority] did a study that revealed that based of the 2.5-plus million apps across Google Play and the [Apple] App Store, less than 0.4% of those are malware, versus the amount of risky apps, the legit apps you and I use every day -- roughly 80% of those apps have risky behaviors.
What we mean by risky behaviors is some kind of threat to security, privacy or data exfiltration risks. A lot of those common apps we use every day may expose PII [personal identifiable information], ranging from GPS or your physical address to a phone number to an actual address and other sensitive information you may have stored on the device.
Google in particular has taken hits because of malware issues with apps in the Google Play store. Is this still an issue for enterprises that use Android?
Raggo: Google has been very transparent about the enhancements they've made and the way in which they vet apps. So, they've added additional layers of analysis and even automated tools to really cut down on the quantity of malicious apps that are being uploaded to Google Play to better vet those out.
Mike Raggosecurity evangelist, MobileIron
That perception still exists because we still see lots of feedback, lots of articles in the media still hyping those concerns around malicious apps in Google Play and people downloading those apps and thus infecting and rooting their devices, most of the time unknowingly.
If you take a look at Black Hat last year, there were a significant number of presentations on attacks on Android versus iOS. A lot of that really did point out some of the weaknesses in terms of how Google vetted out those apps within Google Play. I think they learned a lot from that and they’ve been very transparent about some of the advancements they’ve made.
In general, we have seen a good decline in the quantity of malicious apps that have been uploaded. The remaining threat is around the ability to download apps outside of Google Play. The user still has that capability of going into their [personal] device and disabling that option that then allows them to download apps outside of Google Play.
Besides applications, what are other security concerns around mobile you're seeing for enterprises?
Raggo: At the top of the threat list are unprotected networks. We know users are going to travel ... We know they are going connect to open WiFi networks at an airport, at a hotel, at a coffee shop. What can we do to protect against that?
Something we've done for a long time is really [try to] embrace the concept of certificates. Certificates have been around for a long time but they are very easy to deploy in mobile because these devices are built from the ground up with support for certificates.
When we push down a variety of configurations to the device, whether that’s for email, apps, Web access or access to SharePoint or file shares and so forth, we pushed down automatically a certificate for the user or the device so that when they connect to a resource -- even if they are on an open WiFi network, they're protected.
We really want to protect against someone malicious [who] might be sitting in the coffee shop [and who] might say, "Hey, I see Mike connecting to the corporate network, I'm going to try and intercept the traffic and read that traffic." Or, if it's encrypted, [say,] "I'm going to try and perform a 'man in the middle' attack to see if I can get in the middle of that communication and intercept that traffic and try to decipher it."
When we take a look at all the different threat modeling and how we can protect our customers from those threats, it's really providing two things: certificates and secure access.