Be the first to hear the latest EUC news. Enter your email to join.

Mobile Leaks Are On the Rise: Should You Be Concerned?

David Renwick

Author: David Renwick

David is part of VMware EUC's guest blogging community. He leads Wandera's product advocacy group, working with the company's largest customers to develop and implement lead-edge solutions. Learn more about Wandera at wandera.com.

Share This Post On

Getting Things Done While on the Go

The big idea behind mobile technology is exactly that: it is mobile. Employees are no longer tied to a desk. We can now send that customer quote or fix that issue without a mad dash back to the office. We are accustomed to (and somewhat obsessed with) the immediacy of response, interaction and, of course, pictures of kittens.

vmware-mobile-security-ebook

Click to download our free eBook.

But in the rush to do anything at anytime, did we overlook security?

I do not think we meant to let it happen, but perhaps it just did. In the gold rush that occurred on the back of the emergence of the consumer app store, thousands of clever, innovative and effective apps and tools launched—an “app for that,” so to speak.

However, the speed to market and the hockey-stick adoption curve means that mobile leaks inevitably slipped through the cracks.

What Slipped Through?

The hard stuff mostly: security threats. Sure, passwords stopped displaying on screens. That’s what the “•” character is for, after all. Yet, in the rush to get apps and services to market, did developers really do enough? Did they implement complex password requirements, password expiry, certificate pinning, two-factor authentication or encrypted storage? The short answer is no.

None of these features make a sales tool quicker or the user interface slicker. Arguably, adding security features often presents a usability barrier that annoys users and inhibits productivity. It is somewhat understandable that eager developers might cut a corner or two to get their apps to market quicker and get demanding customers off their backs.

[Related Video: The Dawn of a New Era in Mobile Security]

Data & Mobile Leaks

This attitude created other problems. In 2016, researchers at Wandera uncovered more than 200 well-known apps and mobile websites that exposed sensitive consumer and enterprise information during 2016. The vulnerabilities were present in places you might not expect: more than 59% of all the leaks identified were from just three categories:

  1. News and sports
  2. Business and industry
  3. Shopping.

A further 28% were from another four:

  1. Travel
  2. Entertainment
  3. Lifestyle
  4. Technology

Wandera’s 2016 Mobile Leaks Report: App Leaks by Category

Wandera 2016 Mobile Lead Report - App Leaks by Category

The research demonstrates that applications and websites used by employees could be exposing your company to risk. Are you confident that none of the services used in your mobile fleet are potentially leaking data?

How Did It Happen?

While not always powerful on its own, the nature of the data being leaked can often amount to giving malicious actors the keys to the kingdom. For example, a “man-in-the-middle attack” involves a malicious actor inserting themselves between the device and the web server to access unencrypted data. It can happen when a device is connected to an open Wi-Fi network, like those at a cafe, hotel or airport.

When a leaking site or app is used on such a connection, the unencrypted information can be harvested by the malicious actor. Depending on what is leaked, it could involve credit card theft, identity theft or even the reuse of login credentials to access a corporate network.

With this in mind, any employee with remote network access via their mobile device could be considered be a prized target for an attacker looking to access sensitive corporate data.

[Related: Wandera Shares Top 4 Mobile Security Lessons from 2016]

All Is Not Lost

VMware mobile security threats podcast

Listen to this Echo ONE podcast: The Real Truth about Mobile Security.

The days where we had prescriptive, locked-down corporate IT devices are gone. The genie left its bottle quite some time ago, and re-capture seems impossible. So what now?

The answer might simply be awareness of the issue: to change perceptions a position of low confidence in overall app security. With that thought in mind, you can then tackle the problem by bolstering corporate security with a sensible set of device policy, transparent data protection, proactive security monitoring and reporting.

Think of those systems as the device and data “bodyguard.” They happily go around with you and don’t really question or intervene until they see something that puts you at risk. The digital bodyguard provides a safety net in a wild-west style landscape of deliberate criminal app activity, as well as the overlooked security fundamentals. Like a globally connected police force, an attack or vulnerability discovered on one side of the world can trigger a change of protection parameters for all the devices in its charge.

Clearly, tackling these problems will be an ongoing battle for organizations looking to reduce their risk exposure, but simply being aware of them can go a long way towards resolving them.

Because you liked this blog:

468 ad