Three Steps to Mobile Application Risk Management

July 17, 2013

In today's Whiteboard Wednesday we will discuss mobile application risk management. Did you know that the average smart phone user has about 50 applications on their phone? Mobile applications can pose a threat to your corporate and personal data, especially if they are on a phone that is jailbroken or downloaded off of a non-trusted application store.

Watch this quick video to learn how to gain visibility into the mobile applications that your employees are using. Download Mobilisafe to take advantage of the new mobile application risk management features!

Video Transcript

Hi everybody. My name is Giri Sreenivas, and I'm the Vice President and General Manager for Mobile here at Rapid7. For this week's Whiteboard Wednesday we're going to talk about how to understand mobile application risks.

Show more Show less

So I want to start by setting the stage with a little bit of data to help you understand what the environment looks like today. What we're seeing is about 5% of IOS and Android devices are jail broken, and what that means is it's more likely for these kinds of devices to get access to applications from untrusted sources that can pose higher risks.

One other piece of data to note here is that end users have on average about 50 applications that they've downloaded from all trust stores, all of the application stores out there. So to get specific about what these applications on these jail broken devices can mean for you, let's talk about the specific risks.

So the first specific risk that you should be worried about is a leakage of corporate data. A good example of an application that can actually lead to a leakage of corporate data is a prior version of LinkedIn.

The LinkedIn application would take calendar events that had corporate data embedded in them and sync them back to the LinkedIn service. What LinkedIn was trying to do was provide you with a better experience by associating the LinkedIn profiles with the meeting attendees. But the problem with this approach was they didn't actually allow the end user to opt in or provide any awareness that this calendar data was being synced back to their service.

Similarly we've seen lots of applications get access to the address book and sync address book data back to a cloud based service, without providing any visibility or insight to the end user in the IOS world, or requesting a permission that an end user will sort of blindly accept in the Android world.

The second risk that we see from applications is unintentional opt-in to something called smishing. Smishing is basically a sign-up for a premium SMS plan that can incur charges and premium data plan charges that weren't intended by the end user.

And the third risk that we see is around actually having the device become jail broken. So applications are a great delivery mechanism for exploits to take advantage of vulnerabilities that exist on a mobile device. And the biggest concern with having a device be jail broken is that you can't trust any of the security capabilities on that device. All of the corporate data could be leaked off that device without anyone knowing that this has actually happened.

So what we do to mitigate these three risks is recommend the three following steps. The first step is to actually discover and inventory the applications on end user devices. What you want to do is understand who is using a mobile device that has got access to different app stores and what actual applications they're downloading and putting on those devices.

The second thing that you want to do is you want to validate that the applications on these devices are actually coming from trusted app stores, like the Google Play market or Apple's App Store.

And the third thing that you want to do is, as you bring more and more of these devices online from an application reporting perspective, is you want to take a look at that in aggregate across your entire employee base and understand what is the breadth of applications that are being used to conduct work.

Some of these trends will tell you that you need to get in front of how employees are using these applications with your corporate data. For example, they might be using an insecure file sharing application that you may want to head off by recommending a more secure file sharing application.

And the last thing you want to do is just really, going beyond aggregation, is get an understanding of the analytics around that. Are there very highly used applications that you need to get insights into, and are there applications that users are backing away from because maybe it's not solving problems for them?

So these are three steps that we recommend IT security pros take a look at when they're evaluating mobile security solutions for their organization.

Again, thanks for joining us for this week's Whiteboard Wednesday.