Mobile Apps, the Gateway to Security Breaches and Other Risks in 2015

Have you ever noticed an app running constantly and unnecessarily in the background? It’s possible that the app is tracking your location and sharing it with outside parties for their advertising purposes. As enterprise workforces become increasingly mobile, IT departments often times lack proper visibility into the hidden behaviors of apps. Hidden mobile app behaviors are a risk to both users and their employers. As employees turn to their mobile devices and apps for work, personal and corporate data mingle and are equally vulnerable. With tens of thousands of employees with hundreds of thousands of mobile apps in a mobile environment, organizations are faced with the daunting task of identifying which mobile apps put corporate data at risk and which apps are benign. After all, every single app increases the risk exposure in a corporate environment by providing a larger footprint into the enterprise.

The only way to avoid security and privacy problems is to learn more about mobile app risk. Organizations that are adopting Mobile First and BYOD policies need to incorporate fully automated mobile app risk management solutions to manage security and corporate privacy risks, from location tracking of executives to leaked corporate documents. Only by identifying the risks present within apps may organizations build stronger defenses against current and future threats and fully leverage the potential of mobility to empower a smarter, safer, mobile workforce.

In the realm of app security, these are four challenges that enterprises will need to prepare for in the year to come:

• Mobile Malware Remains Mostly Hype and Little Substance. We predict that the loudest voices in the security space will continue to decry mobile malware as the greatest threat to the enterprise. In fact, malware is not a primary threat to enterprise security or privacy on mobile devices. According to Appthority’s in-depth analysis, mobile malware infects only .4 percent of mobile apps on enterprise devices. The real and more common threat comes from non-malware risky app behavior, like aggressive data collection and data sharing, and how popular mobile apps downloaded to employee devices are handling sensitive company data.

• Developers Get Pushback on Data Requests. We predict that developers will increasingly feel pressure to cut back on building mobile apps with aggressive data collection that’s unnecessary for core functionality. Examples such as a flashlight app that taps a user’s geolocation and accesses user’s cameras and their calendars are raising some red flags. The argument by developers that they need to monetize will increasingly hold less water as enterprises and users recognize the true cost of “free” apps and require more transparency and stronger reasoning from developers if they want to include more behaviors behind mobile app data capturing and sharing. Developers that recognize this trend will be able to differentiate their app in a sea of competition by offering better security and privacy than their competitors. 

• Data Breach in Wearables. Google Glass and the Apple (News - Alert) watch have been the most recent stars as mobile computing moves into a wearable category that includes much hyped fitness trackers and health monitors as well. But as these wearables increasingly enter the enterprise, we predict 2015 to be the year of the wearable data breach. Apps bundled with these wearables mean an extended mobile attack surface that CISOs and IT admins are already struggling to control as they face the massive growth of mobile phone and tablet use. A breach traced back to a wearable app might unfortunately be the wake-up call that enterprises require before they get serious about ensuring critical mobile app data remains private and anonymized.

• Payback’s a B**ch. We expect to look back at 2015 as the year the credit card truly entered its first End-of-Life throes. However, we’re predicting another high-profile security snag involving one of the main players – Apple Pay, PayPal (News - Alert), Google Wallet or others. The CurrentC breach shined a light on the potential that personal information can be compromised and the role of mobile apps in ensuring security around some of the most sensitive data out there. CurrentC requires users to upload sensitive banking information and enable features that allow physical location tracking and transactional information sharing, and Apple Pay requires credit card information be photo captured or manually entered which could potentially also bump up the risk factor. 

About the Author: Born and raised in Monterrey, Mexico, Domingo moved to the United States at the age of 18 to pursue his passion for technology. As president of Appthority, he brings years of Lean Manufacturing and Stanford's “Design Thinking” experience. With a background as mechanical engineer for Applied Materials (News - Alert) (Semiconductor Manufacturing Industry), Domingo has led design and development projects in the Robotics space, securing two patents and winning multiple design awards. He holds a BS from The University of Texas at Austin, an MS from Stanford University, and an MBA from Santa Clara University.