One of the characteristic qualities of this age of enterprise technology is the intermingling of all our personal and professional lives: personal devices, corporate data, remote work, office hours – all have become enmeshed, says Ash Patel, general manager for EMEA, Zimperium.
Personal mobile devices might be the defining aspect of this new arrangement. These are the endpoints from which we talk with friends, send DMs and make Tik Toks while collaborating on shared docs, attending meetings and organising our work schedule.
This has granted flexibility in modern work, but it has also pushed security risk to the very edge of the enterprise environment. Malicious and vulnerable applications on corporate and personal devices can be used to attack end users and the companies, individuals, and organisations around them. Still, many enterprises haven’t recognised that a wide vulnerability gap has opened up at the technological intersection of the personal and professional.
Cybercriminals, however, understand this well and the applications on those devices – whether personal or corporate – have become a key battleground between attackers and defenders. This conflict is currently being fought on several fronts.
Developers
Demand for mobile applications is at an all-time high. Smartphone users will grow to a predicted 7.5 billion by 2025. In 2022, revenue from mobile apps rose above [$400 billion (€367.54 billion)] and now account for 60% of e-commerce purchases.
As a result, application developers are under incredible pressure to release new apps. In their rush to do so, they often skip crucial security steps or create code vulnerabilities such as cross-site scripting errors. According to Invicti Security’s 2022 Fall AppSec indicator this pressure regularly produces vulnerabilities into the development process.
The report shows that 45% of developers skip security steps in order to make release windows. As such, applications often release with vulnerabilities baked into the final product. In fact, 74% of developers agree that applications regularly get released in an insecure state.
These can be seized upon by cybercriminals who use those application vulnerabilities to attack individual devices, as well as the systems they connect to. The Zimperium’s zLabs team has found that 14% of global iOS and Android Apps work with a number of configuration issues which expose personally identifiable information, IP (internet protocol) addresses, internal systems and configurations.
Cybercriminals
However, cybercriminals aren’t just seizing upon opportunities they find. They’re actively creating mobile malware to target the various apps and devices that we now rely on. The 2023 Zimperium Global Mobile Threat report (GMTR) explains that the zLabs team detected – on average – 77,000 malware samples every month in 2022, rising by 51% in 2021.
Malicious mobile applications are also widely available on popular app stores. In fact, we regularly find malicious apps – created by cybercriminals – floating around legitimate app stores. In recent years, the GriftHorse campaign was distributed throughout the Google Play Store in over 70 countries and ultimately infected over 10 million devices.
We found PhoneSpy targeting thousands of South Korean citizens. Masquerading as a collection of 23 different mobile applications, this campaign spied on users, collecting personal information, and enabling attackers to take over the phone’s functions.
As referenced in the 2023 GMTR, the zLabs team found a trojan dubbed Schoolyard Bully within numerous apps from the Google Play Store. Those apps were eventually removed from the Google Play Store but not before they claimed over 300,000 victims.
Earlier this year, the UK’s NCSC (National Cyber Security Centre) found over 200 malicious iOS and Android apps in the Google Play Store and the Apple store. More recently, security researchers found a spyware dubbed SpinOk in over 100 Android apps, which – in aggregate – have been downloaded more than 400 million times from the Google Play Store.
These types of malicious applications lurk on legitimate app stores with the ultimate intention of exploiting end-users and the individuals and organisations around them.
End-users
Now, consider the risks that currently face mobile applications and the locations they’re currently being used – mobile devices. In the last few years the mobile device has quickly become the main endpoint of business. Our 2019 State of Enterprise Mobile Security found that 60% of enterprise endpoints are now mobile devices, and that 80% of daily work is performed on a mobile device. This makes mobile devices – and the potentially insecure applications that reside on them – one of the sensitive attack surfaces a business maintains.
Unfortunately, many vulnerable applications are often crucial to business. Zimperium’s 2022 GMTR actually found that among technology leaders, 56% use four to eight enterprise applications on their mobile device, while 17% use over eight.
This amounts to a risk when you consider the vulnerabilities that often spring up in these apps. Microsoft Office 365 is the enterprise apps around, used by 84% of security professionals, and accounts for more than 72% of exploits.
A risky, or malicious, app residing on an employee’s device can signify a real threat to their employer. Depending on the nature of the threat, malicious attackers could use those devices to access the corporate data held on their phone, abuse the corporate privileges given to that device – personal or not – or even take remote control over their devices. When employees take their device into work, an infected personal device becomes a corporate espionage device.
Protect the application, protect the enterprise
Mobile applications will continue to be an attack vector as long as mobile endpoints maintain a central position within the workplace. It’s a part of the attack surface that requires cradle-to-grave protection.
Application development
That process starts during development: mobile application developers are trained to write applications, not oversee security. Furthermore, they’re often unaware of many of the mistakes that can lead to grave vulnerabilities after release.
From that point of view, security has to become an integrated part of a development environment which can continuously identify security and compliance risks within binaries, isolate vulnerable code as it emerges, and guide developers to solutions while avoiding delays.
Similarly, many app developers use open-source or third-party code when writing applications, so the development environment must also account for the potential vulnerabilities emanating from the supply chain.
Application release
When finally released into app stores, cybercriminals will often try to reverse engineer those apps to find new vulnerabilities within them or build malware to exploit that app. Those apps need to have their source code protected with code obfuscation and app shielding. Meanwhile, developers need visibility into tampering attempts – such as jailbreaking or rooting – as well as the ability to respond when tampering occurs.
Similarly, encryption is no longer enough to protect the data that is transmitted from or stored within the app. Many cybercriminals are now focused on stealing the keys that are used to encrypt that data by exploiting poor key management practices and hardware-based security storage or even using malware to steal keys directly from device memory. Protecting those keys requires whitebox cryptography to obscure cryptography within software and make those keys impossible to extract.
On device
When finally on devices, a further level of protection is required from unsecured networks, malware and other threats. Apps need to be continuously monitored, and able to proactively protect themselves when threats arise. Crucially, this needs to happen on the device where those apps reside to account for the compromised devices and environments that the app might face and so that they can take defensive measures even without a network connection.
Closing the vulnerability gap
Mobile applications will continue to be enduringly popular pieces of technology – but as personal devices become business mainstays, they also become a potential attack surface. Too many organisations overlook this nascent vector in their security strategies while attackers are busily exploiting it. This vulnerability gap has to be addressed at the edge – the mobile application.
The author is Ash Patel, general manager for EMEA, Zimperium.
Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus
