Manage Learn to apply best practices and optimize your operations.

Throttling mobile malware with per-app VPNs

How can enterprises enable mobility while insulating corporate networks from mobile malware? Per-app VPN tunnels offer secure remote access when combined with other measures.

Mobile malware poses a growing threat to enterprises. Less than 1% of all Android devices had a potentially harmful app installed in 2014, according to Google's Android Security State of the Union. However, a new and growing category of Android malware has now emerged: commercial spyware.

Apple iOS is less often victimized by malware. But in September and October, two significant malware outbreaks -- XcodeGhost and YiSpecter -- were found in apps distributed through the iTunes App Store. How can enterprises enable mobility while insulating corporate networks from these kinds of mobile malware?

While device-resident antimalware apps are widely considered a best practice for PC security, the same cannot be said for mobile devices. Antimalware apps are hampered by mobile OS application sandboxing, which insulates apps from each other -- especially on Apple iOS devices. Although antimalware apps are readily available for Android, they are largely signature-based and not very effective as a means of stopping zero-day attacks. As a result, security professionals must look for new approaches to deter mobile malware.

Blacklisting as a stop-loss measure

One way to deter malware is application blacklisting, which relies on IT-managed policies to prevent user-installation of unwanted apps on devices used for business. Blacklisting can often be applied to mobile devices using an enterprise mobility management (EMM) platform.

However, barriers to blacklisting include maintenance and personal privacy. To address the former, you can treat blacklists as a stop-loss measure and create them selectively to identify, quarantine and remediate specific malware outbreaks. This approach can be strengthened by mobile app reputational analysis. It may not be feasible on BYODs (bring your own devices) because many employers opt against inventorying user-installed personal apps.

For mobile devices that are enrolled with an EMM, you can significantly reduce the risk of mobile malware by enforcing a few basic policies. On Android, you can prevent side-loading -- that is, installing apps from sources other than Google Play or the company's own enterprise app store. For both iOS and Android devices, EMM agents may be installed to detect and respond to jailbreaking or rooting. While not all malware involves jailbreaking, rooting or side-loading, the vast majority of mobile malware makes its way onto mobile devices through these paths. Some employees may have legitimate need to jailbreak, root or sideload; however, most do not and exceptions can be made case-by-case.

Narrowing malware window of opportunity with per-app VPN

More recently, a new method of throttling mobile malware has emerged: per-app virtual private networks (VPNs), which are now available for mobile devices running iOS 9 and Android 5.

Per-app VPNs made their debut in iOS 7, but it was limited to app-layer VPN clients that supported the functionality. In iOS 9, it has been integrated into the native iOS VPN client and applies to network-layer (IPsec) VPN tunnels. In addition, apps configured to authenticate via Kerberos can now automatically launch the native VPN client upon successful authentication. This makes per-app VPN a lot more usable from an enterprise perspective, and also effective as a way of stopping malware from riding network-layer tunnels into enterprise networks.

With a traditional VPN, all traffic sent by a mobile device is tunneled to the corporate network, tearing a hole in that network's defenses through which a mobile Trojan might possibly gain access. While IP/port level policies can be applied to traditional tunnels, these are relatively coarse ways to minimize risk exposure -- and increasingly less effective as more and more app traffic rides over SSL/TLS.

Per-app VPNs create a paradigm by which tunnels can be automatically applied only to enterprise-installed apps. In this way, trusted enterprise apps become whitelisted, safely accessing the corporate network, while any other app installed on the mobile device -- including malware -- has no access to the VPN.

Ultimately, you should combine several measures to manage mobile malware risk. After all, a blacklist or a per-app VPN on a jailbroken device cannot really be trusted. However, combining measures that are effective and practical for each mobile device can together create a stronger security posture that effectively deters, detects and contains mobile malware.

Lisa Phifer owns Core Competence Inc., a consultancy specializing in safe business use of emerging Internet technologies. In 1994, Phifer received a Bellcore President's Award for her work on the South Carolina Information Highway. Since joining Core Competence in 1995, she has focused on secure mobility. Phifer is a recognized industry expert on wireless, mobile and cybersecurity. She has conducted cyberthreat research and written extensively about safe networking needs, technologies and best practices.

Next Steps

Take these three steps to better mobile app security

New application security threats can arise during mergers and acquisitions

Learn more about mobile app security in this essential guide

TechTarget's new e-zine focuses on mobility in the modern age

This was last published in November 2015

Dig Deeper on Mobile security threats and prevention