Message to IT: Trusting Apple and Google for mobile app security is career suicide

Credit to Author: Evan Schuman| Date: Mon, 01 Jul 2019 05:47:00 -0700

Ready for the mobile security news that IT doesn’t want to hear about but needs to? When security firm Positive Technologies started pen-testing various mobile apps, security holes were rampant.

We’ll plunge into the details momentarily, but here’s the upshot: “High-risk vulnerabilities were found in 38 percent of mobile applications for iOS and in 43 percent of Android applications” and “most cases are caused by weaknesses in security mechanisms — 74 percent and 57 percent for iOS and Android apps, respectively, and 42 percent for server-side components — because such vulnerabilities creep in during the design stage, fixing them requires significant changes to code.”

Here’s the most frightening line and it’s frightening because it means there is no easy enterprise IT fix: “Risks do not necessarily result from any one particular vulnerability on the client or server side. In many cases, they are the product of several seemingly small deficiencies in various parts of the mobile application. Taken together, these oversights can add up to serious consequences.”

As I’ve argued before, enterprise IT — and certainly enterprise CISOs and CSOs — simply can no longer put any trust into an app from either Apple’s App Store or Android’s Google Play. This is a major nightmare, since that is where employees have to go to download apps, whether personal (BYOD) or corporate.

The security holes could be intentional malware, unintentional malware (an ISV developer leverages existing code for a common function, unaware that it includes malware), unintentional security holes or even perfectly fine code that is clean on its own but that accidentally creates problems when interacting with the rest of the mobile environment. That’s the “taken together” hole that Positive referenced.

What this means is that enterprises must hire and deploy their own penetration testing teams — either on staff or contracted — to test every app that they’re going to permit on a corporate device, even a BYOD device. So, yes, that very well might mean also testing every consumer app that some employee wants to download. (Won’t that make you ultra-popular?!)

This gets worse. To try to create and maintain a secure environment for your enterprise, you can’t merely pen test all of these applications once. Every time they offer an update, that app must be pen tested all over again, given that you don’t really know what that update is changing.

Some CIOs want to exclude from this list their major vendors, on the shaky rationale that they would never put out insecure code. First, sure they would. The larger the vendor, the more it is a target for the craftiest of cyberthieves and cyberterrorists. Unless you want to bet your company’s security on the ludicrous premise that your vendor’s systems are perfect, you simply cannot trust them. (At best, trust but verify, but even “trust but verify” exposes your systems initially.)

Would it be far more efficient and secure for Apple and Google to place a multibillion-dollar investment in security and pen test all of their own apps before they post them for download? Of course it would, but until enterprises insist on it — and shareholders back them up — it won’t happen. Oh, both Apple and Google will spend plenty to protect their own interests — copyright and other policy issues—but protecting enterprises? Don’t hold your nerdy breath.

“You cannot predict if you’ll have inherited vulnerabilities or not,” said Nikolay Anisenya, mobile pentesting team lead at Positive Technologies, in a Computerworld interview. “If you want to lower the risk of your employees being attacked, it’s better to train them about mobile app security.”

The problem with training employees about app security is that employees are going to assume that a corporate-mandated enterprise app (such as, let’s say, a company-approved firewall) had gone through corporate testing. And an app such as a firewall is precisely the kind of app that a good cyberthief will manipulate. If an employee notices the company-endorsed firewall getting invasive, that employee will typically assume that it’s an approved bit of invasiveness.

So how bad were the Positive findings? Bad enough. Some of least favorite favorites:

http://www.computerworld.com/category/security/index.rss

Leave a Reply