Unsanctioned software and applications running on corporate mobile
devices is a security nightmare. These can range from meeting genuine
business needs—commonly referred to as Shadow IT—such as efficient,
remote communication with colleagues or corporate document management
via downloadable messaging and file sharing apps, to using apps for
non-work-related lifestyle or entertainment purposes such as
socializing, fitness, gaming, and watching sports.
Unmanaged, personal apps on corporate devices introduce numerous vectors
and vulnerabilities for exploitation, including avenues for data
exfiltration, cyber attack, surveillance of employee activity from a
malicious third party, and so many other things that we see as potential
risks to organizations.
The risks posed to businesses by unsolicited apps have intensified since
the outbreak of the COVID-19 pandemic and subsequent move to mass
remote working with fewer face-to-face meetings and interactions, employees are looking
for new methods to communicate without the formality of an email or
Teams call. However, with new attack tactics, exploits, and tools emerging through
unsolicited apps, mobile devices and apps have never posed as great a
threat to organizations as they do now. Most
users tend to disbelieve that cyber criminals will target them, but these
apps often request a lot of access to personal information or
integration with privileged accounts. “They can be quite effective
threat vectors for cunning attackers."
Popular attacks on mobile devices include remote access Trojans (RATs) and man-in-the-middle (MITM) attacks for accessing user data or eavesdropping, ransomware for restricting access to devices, and fake certificates for side-loading malicious apps.
Seemingly genuine and trustworthy apps and app stores can be anything
but. For example, Turner alludes to applications posing as one thing and
approved onto Apple’s and Google’s walled store gardens that end up
being something much more malicious, such as some calculator apps in
fact being file transfer mechanisms.
Likewise, it’s not unheard of for trusted app stores such as Google Play to contain apps riddled with malware. Even the legitimate TikTok app was caught out last year for capturing
copy buffer data from Apple devices when it shouldn’t have been, While the social networking service has since stopped capturing such
data, it is an example of the hidden risks potentially posed by such
apps if not carefully vetted.
Most concerning of all, new cloud threat research from Netskope
discovered that 97% of cloud apps used in the enterprise are unmanaged
and often freely adopted. Businesses clearly need to be doing much more
to vet which apps employees use on work devices.
So, what unauthorized app types should be highest on the risk list and why?.
1. Social Media And Messaging Apps.
Probably
the most commonly found app types on company-owned devices, social media
and messaging apps can cause significant security and privacy headaches
for security leaders. “Social media apps have been guilty of tracking
what you do across your device, websites you visit, locations you go to,
and so much more,” e.g Facebook, which is known to have suffered from security holes and
vulnerabilities, privacy troubles, and confidential information leaks in
the past.
You wouldn’t want to see social media apps from outside of the countries that your company is doing business in Apps from other countries on a device opens up the doorway/pathway for
violating privacy and data retention laws and regulations as they could
be potentially utilized for conducting business, malicious insiders
exfiltrating data, or malicious actors using the apps to exfiltrate data
or compromise a device via a backdoor or zero day. Some countries require everything to go through the central government. Is it worth exposing your company’s device to those risks when they
don’t even do business in that country?
China-based apps are a particular concern, there is not much that needs to be said regarding the inherent security
and cyber risk these apps developed and sourced out of China tend to
have back doors, malicious code, and they expose an enterprise’s
sensitive data.
Regarding the security issues surrounding messaging apps, a prevalent
issue is that popular services such as WhatsApp, Signal, and Telegram
are vendor-hosted, centralized consumer-grade apps. “That means
employees’ work-related discussions are sucked onto the app’s servers,
leaving the company with no control over how its data is stored or
managed and potentially subject to data mining and exfiltration. Moreover, there’s no formalized moderation and no way to ensure
discussion groups are inclusive or contain all relevant parties. Worse,
there’s no control around deprovisioning someone who leaves the
organization nor auditing, which leads to unaccountable decision-making.Security leaders should indeed be concerned if employees are conducting
business via consumer- rather than enterprise-grade collaboration and
messaging apps.
2. Remote Access And Cloud Storage Apps.
Amid
the migration to mass remote working over the last 18 months, use of
remote access and cloud storage applications has grown significantly as
organizations and employees have sought out new ways to work securely
and efficiently. Unwarranted remote access apps can redirect all network traffic on a
device to an unknown server/VPN/remote access infrastructure where all
company app traffic is now flowing and potentially being collected or
analyzed by a third party. Likewise, alternative cloud storage solutions can be configured to
automatically backup files, photos, and other data on your device to
them. If your job works with files and photos locally on your device,
this is another scenario where data can purposely or inadvertently be
stored elsewhere, not protected by your company’s security solutions,those same apps can be used by attackers and configured to their own
accounts to get a copy of the data you’re working with on your device. All this exposes organizations to potential compromise and data breach
incidents by harvesting credentials, sensitive data being exfiltrated
and stored improperly, etc. These risks will continue to increase for many reasons if unchecked, including ongoing remote working and the vast utilization of apps like
Office 365 or Dropbox to share information within organizations, among
partners and with customers.
3. Security Tool Apps.
It is possible, on
some Windows 10 machines, to download software from the Microsoft Store
without the need for administrator privileges, This creates the risk of installing and using unauthorized,
sophisticated security tools that should only be used by those in
specialist roles. Unauthorized users that play with security tools such as wireshark or Kali Linux may have no idea of the damage they could cause to an organization,While the tools are legal, unauthorized use is not. Users could use the
tools to eavesdrop on a corporate network, which is particularly harmful
if they were a disgruntled employee or inside threat.In addition, employees using these tools for fun will likely never have
heard of bad actors living off the land, and unauthorized use of these
tools can make the job of a bad actor far easier as you’ve essentially
given them the tools they need to hack an organization from within,For example, within Kali Linux, there are hundreds of DDoS tools that
have the potential to disrupt the entire corporate network. Particularly
given that most DDoS protection layers sit on the perimeter of the
network, any DDos from within is likely to be missed by scanning tools and therefore cannot prevent exploitation.
4. Third-Party App Plugins.
Third-party app
plugins designed to add functionality to even verified apps have the
potential to greatly threaten the data of organizations. According to
the Netskope report cited earlier, 97% of Google Workspace users have
authorized at least one third-party app access to their corporate Google
account, potentially exploiting data to third parties due to scopes
like view and manage files within a Google Drive.For example, the CamScanner app plugin can access all of your documents in Google Drive. Camscanner was found to contain malware
and was banned by the Indian government. In other words, third-party
app plugins may provide a valid service, but the organizations operating
the apps may not be trustworthy enough to handle sensitive data.
Attackers have also discovered that gaining access to a Google account
that controls the mobile device via the App Store/Play Store is much
more effective than trying to find vulnerabilities and develop exploits
for mobile, which is labor- and time-intensive,Such access provides the keys to the kingdom: confidential data, credit
card information, and more. An attacker with a compromised account can
access backups and recover data belonging to all apps on a mobile
device, including messages, contacts, and call logs.If someone steals these accounts, they can permanently track a device
and remotely control several key actions (such as making unauthorized
purchases or installing malicious apps), causing further damage.
5. Gaming Apps.
Corporate devices and
networks are not made available to support game playing, whether it’s
during work hours or outside, but some try regardless. While this
represents a gross misuse of company property and unnecessary
expenditure, the security concerns of using corporate devices to install
and play gaming software are even worse. “The Steam client, for
example, is equivalent to opening a can of worms if installed on any
device that has access to the corporate network,the sheer quantity of games that can be installed using Steam makes it
very difficult for security to maintain visibility of what is on the
network and respond accordingly. Any unauthorized software would then
fall out of the security team’s patch management process, so gaps could
be left open to exploit.” He points to an example from last year when
researchers found four vulnerabilities within Valve, Steam’s developer,
allowing hackers to take over the third-party service to execute
arbitrary code and steal credentials.
The most dangerous gaming app in our opinion is 9Game.com, a portal for downloading free Android games,we have seen more malicious apps come out of this mobile app store than any other over the past couple of years.
Reducing The Risks Of Unsanctioned Mobile Apps.
When
it comes to addressing the risks posed by unsolicited applications on
corporate devices by stopping people from installing unapproved
software, experts agree that a combination of policy and education is
required.This helps to support the drive to monitor and manage the usage across the rest of the staff. Device/app whitelisting
to allow only certain executable and associated files to run. This
would mean that any application that was not approved would be stopped
before it could be run. This would also help with a malware infested
copy of a legitimate application as the executable would be different,
usually picked up by the MD5 hash being different. This option can be
quite labor intensive to setup and manage but is often worth the
effort. Such policies can be enforced through endpoint management solutions by
instituting an approval flow for unsanctioned apps and remediation of
existing unapproved unsanctioned apps.