As if we don’t have enough to worry about when it comes to BYOD, the folks at Zscaler have found a new and rather alarming problem with mobile apps. New analysis from ThreatLabZ, the company’s security research arm, found that up to 10 percent of mobile apps expose user passwords and login names, 25 percent expose personally identifiable information and 40 percent communicate with third parties.
That advice to only go to trusted sources, like the official store or marketplace for the system, doesn’t seem to apply here. The problem isn’t what is built into the apps, but what is not built in — mainly, security. Apparently, the ThreatLabZ team analyzed hundreds of applications and found that many popular apps leave user names and passwords unencrypted, while others are insecurely sharing personal information — such as names, email addresses and phone numbers — as well as communicating with third parties, including advertisers. As Michael Sutton, vice president of security research at Zscaler, pointed out in a release:
App stores have strict guidelines about which logos and colors developers can use, yet application security remains largely unenforced.
That seems backwards to me, but it is all about the brand, which means security is secondary.
Zscaler isn’t the only security company to point out the hidden security dangers in mobile apps. This summer at Black Hat, Domingo Guerra, president and co-founder of San Francisco-based Appthority, said that mobile apps can tap into data sources and leak information to third-party sources. According to an article in SearchSecurity.com:
Apps tap into corporate calendars, address books and location tracking of key executives, Guerra said. Information, if shared with the wrong person, could put some enterprises at a competitive disadvantage. Other mobile apps send data without using encryption, incorrectly store user names and passwords, and then share data with ad networks for analytics companies.
Guerra added the problem stems from the union of users who want free apps, developers who want some financial gain for their efforts and the advertising networks that mine the data. And the loser in the end could be the phone or tablet user’s company that ends up with its data compromised.
App downloads have always been a problem for companies that allow BYOD, but the concern has always been the bad apps full of malware. Now it appears that any app can be a problem. So what is a company to do?
Zscaler has released a new tool — Zscaler Application Profiler — that allows users to analyze the security of their mobile apps. (I tried it, and there are a few apps on my phone that will be getting the boot because of their risk level.) But beyond that, I’m not sure there is a lot one can do beyond being more thoughtful about the sensitive data stored on and accessed by the device. I’d be happy to hear any other ideas out there because this is a problem that has the ability to get worse before it gets better.