App stores open the door to security vulnerabilities
App store owners need to take a much closer look at the security they provide and the vetting they carry out on apps if mobile apps are not to become even more of a vector for security threats than they already are.
Although Apple pays lip service to vetting each app that goes into its store, it also recently had to pull 250 apps that were sending back personal information to central servers somewhere in China, indicating that its oversight is not perfect. The situation with Android is no better — Google does little to vet or have oversight of the apps lodged in its Play Store, making it a vector for malware and other security vulnerabilities.
It’s made worse by Android’s vulnerability to security problems. A recent study found that 87% of Android phones (which make up the majority of the world’s phone ecosystem, ahead of iOS) were vulnerable to known security flaws.
Both stores, therefore, are a vector for potential security threats that could wind up compromising corporate networks. This is because of the current trend towards allowing staff to bring their own device into the office and connect to the office network.
Typically this connection is automatic after the first sign-on as the device will pick up the local Wi-Fi network. Once the device is on the local network, it’s a step away from being able to connect to the deeper corporate networks the Wi-Fi is linked to.
The problem IT managers have is that their employees are demanding access to their own devices, and also the convenience of connecting to their corporate data via Wi-Fi. Yet those same IT managers have very little say in how the devices are used or control over the apps that are downloaded onto them.
The current app store situation is a vector for malware to be accidentally loaded onto a user’s device, and then connect to the corporate network. Hackers could then take control of the device, or access the data streams it is sending back, using those streams for clues that would permit them to further penetrate corporate networks.
And that’s to say nothing about the corporate information kept on the device itself. Initiatives such as Google at Work and the burgeoning mobile device management (MDM) software industry go some way to providing an answer to the problem, but it’s not an answer for malware that has been specifically designed to bypass security restrictions on the device.
So what’s the answer? For one, Google needs to more heavily curate the apps being uploaded to its Play Store. The days of it being a free-for-all need to end. Network managers also need to make sure that robust mobile device management software is installed on the devices they are allowing to connect to their Wi-Fi and corporate networks. And most of all, any connection between the Wi-Fi and other corporate networks must be heavily policed and locked down.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.
How AI can help businesses manage their cyber risks
Artificial intelligence can be a powerful ally in the fight against cyberthreats.