LAS VEGAS -- Malicious mobile applications designed to steal sensitive data get plenty of media attention, but one expert says legitimate apps could pose a greater danger to enterprises.
Developers want to monetize, consumers want free apps and ad networks will pay developers to get all that juicy data from developers.
president and founder, Appthority
Domingo Guerra, president and co-founder of San Francisco-based Appthority, said that's because mobile apps are easily downloaded and can tap into a variety of data sources that could potentially leak sensitive information.
Guerra, who is attending the 2012 Black Hat Briefings this week, said enterprise CISOs often set mobile policies without knowing the risks posed by legitimate mobile business applications. Guerra's firm gained attention at the 2012 RSA Conference when it won the most innovative vendor award for its platform, designed to conduct static and dynamic analysis on mobile applications. It also scores apps based on reputation and the risks they pose by the data they collect and distribute.
"Developers want to monetize, consumers want free apps, and ad networks will pay developers to get all that juicy data," Guerra told SearchSecurity.com. "Legitimate apps are taking information from the user, and usually that is married with information from the corporation."
Apps tap into corporate calendars, address books and location tracking of key executives, Guerra said. Information, if shared with the wrong person, could put some enterprises at a competitive disadvantage. Other mobile apps send data without using encryption, incorrectly store user names and passwords, and then share data with ad networks for analytics companies.
Another area of growing concern regarding mobile app security is the number of unique mobile app developers, Guerra said, making it increasingly difficult to know the reliability and reputation of the source of the application. In an analysis conducted by Appthority, and released this week, 92% of the top 50 free applications in the Apple iTunes App Store were created by unique developers.
More from Black Hat 2012
See more of SearchSecurity.com's special coverage of Black Hat 2012.
"Today, software is coming from virtually unlimited sources," Guerra said. "They are untrusted and not vetted. Anyone with a computer can develop an app."
The analysis also found Apple iOS apps outpace apps on Google Android devices in their level of access to data sources. The majority of iOS apps (88%) can access ad networks and analytics, the location of the device (70%) and the user's list of contacts (52%).
Among the iOS apps, 22% are capable of accessing all four sets of information. Interestingly, according to Appthority, there is no app in the Android Top 50 that taps into all four sets of information, which is notable because security experts generally believe the Android platform poses a greater security risk than iOS.
Mobile malware, Trojanized apps a future concern
Experts largely agree that data privacy is a greater concern than mobile malware. For now, cybercriminals are sticking to PCs because that is where the easiest money is made, said Adam O'Donnell, the chief architect in the Cloud Technology Group at Columbia, Md.-based vendor Sourcefire Inc.
"Cybercriminals will move to any location that they can get a foothold in and they can make money from," O'Donnell said. "It's an issue of wherever they can go and make the most money, and right now it's still the PC."
O'Donnell said cybercriminals have become extremely business savvy, seeking the lowest entry costs and highest returns on their malicious activities. Automated toolkits and profit-sharing schemes, he said, have primarily kept cyberattacks on the desktop.
"If an attacker comes up with a way to efficiently deliver malware to fragmented mobile handsets, then you would see malware going over to the handset side," O'Donnell said. "If everyone stops using PCs and starts using handsets, either they're going to attack the handset or the servers that they talk to."
Appthority's Guerra said malware will become a growing threat in the future. But as threats emerge and researchers develop a better understanding of mobile risks to enterprises, he said, enterprise IT security teams are slowly becoming the gatekeeper when it comes to securing mobile devices and vetting and approving applications. The question most organization's need to ask, Guerra said, is, "How much risk are organizations willing to accept?"
"Now that apps are doing line-of-business functions, IT is becoming the gatekeeper," Guerra said. "They're going to start demanding from developers to produce better security and better privacy."