In recent years, especially with hybrid work, almost everyone uses an iOS or Android device for work. In fact, in a recent survey, Lookout found that 92% of remote workers use their personal laptops or smartphones for work tasks, with 46% of them having saved files onto their devices.
Now that employees expect to be productive from anywhere, organizations across all industries have become more relaxed with allowing the use of personal devices with bring-your-own-device (BYOD) programs. With this fundamental change, if mobile devices are not considered a significant part of the overall security and risk management strategy, they present a risk to any organization.
This risk doesn’t just lie in phishing attacks, malware, risky connections, or device compromise. As employees download unvetted applications for both personal and work use, they unintentionally expand your organization’s risk surface. This is mostly due to the risky permissions that many personal apps have. Permissions like access to the address book, local files, or location might seem innocuous on a personal level, but could put corporate data accessed from that device at risk.
Since employees can access a plethora of enterprise data from mobile devices, it’s critical to understand how allowing BYOD devices could affect your overall risk posture — especially when it comes to personal apps whose permissions could mistakenly put your employees, their devices, and the data they have access to at risk.
Apps Don’t Have to be Malicious to be Dangerous
A high-profile example of a risky app that has emerged is the Chinese social media platform TikTok. While governments around the world have been hyper-focused on banning TikTok, their concerns about its data access and connection back to China could be applied to thousands of apps we all use. The TikTok problem demonstrates how an app that isn’t outright malicious can still pose risk to your organization’s data.
So, whether your organization is specifically concerned with TikTok or not, it illustrates just how risky personal apps can be because of the data they collect. Whether it’s a national security issue, as claimed by many government bodies across North America and Europe, or it’s a compliance issue of geofencing data to align with laws like GDPR or CCPA — it’s critical to understand how mobile apps could potentially access and handle sensitive data.
Hidden Malicious Functionality
In addition to TikTok, recent discoveries about the popular Chinese e-commerce app Pinduoduo have proven that there can be outright malicious functionality hidden in apps developed by legitimate organizations. Pinduoduo was recently removed from Google Play after researchers discovered its off-store versions, which were predominantly used for the Chinese market, could exploit zero-day vulnerabilities and take over devices in various ways.
After the news came out about Pinduoduo, researchers from the Lookout Threat Lab decided to take a look at Temu, which is another wildly popular e-commerce app developed by the same parent company.
The Lookout team found that there was some code in Temu that was removed after the Pinduoduo discoveries were made. Most alarmingly, versions 1.55.2 and before had a patching capability through a home-built framework known as “Manwe,” which is an unpacking and patching tool that was also found in the malicious versions of Pinduoduo. Manwe could enable PDD holdings to patch the app on the device, rather than through the Apple App Store or Google Play Store. This is against app store policies, as it could enable the developer to push unauthorized code via updates to user devices.
While there was no evidence of any executable files being delivered through Manwe, which would have indicated malicious use, the same code existed in the versions of Pinduoduo that were deemed malicious because of this functionality. Given the fact that the parent company used this functionality to execute malicious activities in its other app, it’s highly risky to have older versions of Temu on your device. For this reason, Lookout suggests that administrators consider this as part of their greater risk tolerance strategy and denylist Temu versions 1.55.2 and before.
How to Mitigate Mobile App Risks
Visibility into mobile risk can be a sizable but achievable challenge — especially if you have a mix of iOS, Android, managed, and unmanaged devices across your employee base as most organizations do. And the way that mobile operating systems are setup, it’s also very difficult to manually scan apps for malicious code.
Whether it’s tackling mobile operating system-level vulnerabilities, app risks like what I described above, or phishing and network threats, mobile security is critical to your security posture. Here are three key things to think about to better monitor and mitigate against these threats:
- Think beyond management. Mobile device management (MDM) solutions serve a strong purpose, but there’s a reason they’re called management tools and not security tools. For app risks, MDMs have some control over what apps users install, but they have no visibility into the risks themselves.
- Continuous risk-based monitoring. You need real-time visibility into the app itself to minimize risks, such as what permissions they have, how data is being handled, the networks it communicates with, and the vulnerabilities and malicious codes embedded in them.
- Consistent policy enforcement. Many endpoint security solutions that have mobile capabilities are limited in the protections they can provide certain device types, which can result in gaps that open up devices, users, and data to compromise. A true mobile threat defense solution should enable the capability to enforce policy and protections consistently across all devices — regardless of whether they’re iOS, Android, managed, BYOD, or company-owned, personally enabled (COPE) devices.
Given the undeniably prominent role that mobile devices have in how your employees work, mobile app risks cannot be ignored.
Blog courtesy of Lookout. Author Hank Schless is director of Global Security Campaigns at Lookout. See more Lookout blogs and news here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.