Sergey Nivens - Fotolia


Steer clear of mobile application security risks

Dealing with mobile application malware is a fluid process. IT needs a policy for vetting apps and educating users about potential security risks.

As mobile technology has advanced, so have intrusive and malicious mobile apps. IT needs to stay ahead of mobile application security risks by using all its available screening resources.

Unsafe mobile apps are not traditional viruses that IT administrators can detect by signature. Rather, today's mobile malware is dominated by Android adware and SMS Trojans -- programs seeking financial gain at the user's expense. Intrusive mobile apps are even more common and threaten user privacy by gathering device ID, location and usage information, SIM card number and more. According to McAfee Labs, 82% of Google Android apps track users in some way, and Apple iOS users are not immune either.

These best practices can help IT determine which apps are safe for enterprise users and mitigate threats from applications users need.

Mobile app threats

The rate of new unsafe mobile apps is still growing, with more than 6 million mobile malware samples detected in Q4 2014, according to McAfee Labs' February 2015 quarterly threats report. That's a 14% increase over the previous quarter. Plus, of all mobile devices that reported at least one malware infection, the culprit was most often Android AirPush adware.

While all adware is not necessarily malicious, it does facilitate the oversharing of information that many users consider private. For example, McAfee estimates that 64% of mobile apps know your wireless carrier, 59% track your last known location and 57% track when you use your phone. Research shows that truly malicious mobile apps are far more likely to intrude upon privacy.

Even on iOS devices, adware is a growing problem, although primarily on jailbroken devices running non-App Store applications. For example, iOS/AdThief malware hijacks ads viewed on an infected device to steal developer revenue. Another malware, iOS/SSLCreds, is distributed through Reddit and steals users' passwords.

Mobile app safety is not just an Android concern -- it should be every mobile user's mission, and IT needs to regularly communicate that to the workforce.

Six ways to spot unsafe mobile apps

Still, it's tricky to mitigate mobile application security risks. Many organizations have fostered a culture of unfettered app downloads that only exacerbates the problem. Potentially unwanted or harmful mobile apps come in many forms, which is why IT should teach end users to employ moderation. Mobile app sandboxing, or containerization, and opt-in permissions can deter malware, but they also make it more complex to design effective anti-malware strategies.

Here are a few methods and tools to help you avoid unsafe mobile apps.

Stick to reputable app stores. Unofficial third-party app stores circulate the vast majority of mobile malware. With Android devices, IT should prohibit sideloading -- that is, installing non-Google Play apps. For iOS users, prohibit jailbreaking, which allows users to install applications not listed in Apple's App Store. There can be legitimate reasons to install apps from these alternative sources, but so few users really require this capability that it's worth forbidding jailbroken iPhones as a general policy.

Read app reviews and requested permissions. Mobile operating systems require applications to disclose any requested permissions, requiring users to explicitly grant apps access to device location, text messages, installed apps and so forth. Unfortunately, lengthy permission lists and all-or-nothing prompting has desensitized mobile users. This is an opportunity to spot intrusive apps. Beware of apps with few installs or poor reviews, and avoid ones that request permissions inconsistent with their stated purpose.

Run mobile anti-malware. Given Android's security concerns, it shouldn't come as a surprise that there is a market for anti-malware scanners for Android devices. Use AVTest to find an on-going list of those apps and independent ratings of their protection level and usability.

Traditional anti-malware apps are not available for iOS, since iOS strictly insulates apps from each other. However, iOS mobile security apps do exist. These apps can scan files and email attachments and detect signs of jailbreak. Consider installing a reputable mobile security tool to block users from installing known malicious mobile apps, and beware of fake anti-malware apps that do nothing -- or worse.

Use a mobile app reputation service. Mobile app reputation services such as Webroot are gaining popularity, particularly for Android. These programs rate mobile apps based on factors such as how well an app is secured or the extent to which an app accesses and shares personal data.

IT administrators can use these services to run a reputation analysis on any mobile app to be installed on managed devices. Google Play apps such as McAfee Mobile Security, Lookout Security & Antivirus, and F-Secure Mobile Security can scan Android apps during or after installation and alert users to unusual or extensive permission requests.

Check for published app vulnerabilities. Vulnerable apps are ones that do necessarily have malware but may be exploited to install malware. Security experts constantly identify new vulnerabilities in mobile apps, which they then publish in advisories, allowing OS and application vendors to create patches. For example, this vulnerability note describes how multiple Android applications were failing to properly validate SSL certificates, which enabled man-in-the-middle attacks on HTTPS sessions.

IT can also use tools such as Nogotofail to detect apps that are vulnerable to this kind of attack. Admins should keep a watchful eye out for new bugs in business apps, using mobile application management to quarantine unpatched mobile devices and force timely OS and application updates.

Test enterprise apps for security risks. Beware of homegrown vulnerabilities and weak security coding practices. If your company develops in-house mobile apps, consider contracting with an application security test vendor such as IBM, HP Fortify, Veracode or WhiteHat to assess the security of those apps. Security vendors have thorough methods for identifying vulnerabilities through static, dynamic and interactive testing.

Your work is never done when it comes to security, but establishing these basics for mobile app safety will diminish the risk of malicious and intrusive applications affecting your network.

Next Steps

Learn the risks of jailbroken and rooted devices

A guide to mobile app security and delivery

Mobile app trends: Where does security come in?

Dig Deeper on EMM tools | Enterprise mobility management technology