Software Licensing Featured Articles

BYOD Security Alert: Enterprises Playing Russian Roulette with Mobile Apps

By TMCnet Special Guest
Vincent Smyth, Senior Vice President EMEA, Flexera Software

As businesses roll-out their BYOD strategies, most CIOs and CEOs have no idea that many of the mobile apps allowed to touch corporate systems and data engage in risky behaviors that could compromise data security and policy.  This danger was underscored recently when a free app – Flashlight, which activated the phone’s flash function to use it as a flashlight, secretly recorded personal user information such as location of phone, details of the owner, etc., and sent it on to advertisers.  

In fact, an alarming percentage of mobile apps being used within the enterprise are able to access sensitive device functions, or otherwise exhibit behavior that may pose security risks to the organization and violate its Bring Your Own Device (BYOD) policies.  Without understanding what these apps do and how, organizations are playing Russian roulette with their security.

When are “Harmless” Apps Akin to a Bullet in the Chamber?

Forget hacker threat and malicious software for a moment.  Seemingly harmless, everyday apps that abound on every employee’s mobile device could serve as that unexpected bullet in the chamber.  This is because mobile operating systems include APIs that apps can use to access potentially confidential, proprietary or sensitive data, like contact lists, photos, and calendars.  In addition, apps could access corporate social media accounts accessible on the device as well as built-in hardware features like GPS, camera, audio recorder, etc.  In fact, many apps have undocumented features that could be used for malicious or harmful purposes.

The risk to organizations is high, because most IT teams don’t have the same insight into and control over mobile app behaviors as they do with traditional enterprise software.  So it’s essential that they adopt the same best practices and processes to prepare mobile apps for delivery, as they do with desktop and other applications.  As IT teams begin to analyze mobile apps and start building institutional knowledge around their behavior, they can substantially reduce the Russian roulette effect that mobile apps currently post. 

Arrrrr!* (*Application Readiness Reduces Russian Roulette Risk)

Organizations with mature internal processes adopt Application Readiness best practices, processes and technology to prepare enterprise apps for internal rollout – whether they’re physical, virtual, cloud, desktop or mobile applications. This provides a standardized best practice method for reliably and predictably testing, packaging and deploying apps into the enterprise.

Through Application Readiness automation IT will gain essential insights into mobile app behavior. For instance, application reputation scanning, which examines app properties and configuration, determines the mobile device features that the app uses and will issue a report that can be used to establish policies that define which behaviors are risky. These policies can then be used by the Application Readiness solution to automatically identify risky apps, allowing IT to manage them appropriately. 

Identifying and effectively managing risky mobile apps not only minimizes risk but also enhances the user experience. Employees can use authorized apps with confidence, knowing they’ve been thoroughly vetted. And security officers will have greater confidence that danger has been averted by avoiding apps that exhibit risky behaviors, or by eliminating those risky behaviors before they’re allowed access to the corporate network.

Existing Teams Understand Process of Reducing Risk

Many organizations add new teams to deal with mobile apps and app security.  However, existing teams should have all the experience necessary.  IT organizations that already leverage Application Readiness best practices, processes and technology to safely and reliably deploy enterprise apps can extend these same processes for mobile apps.  And in doing so, companies will simultaneously improve operational efficiency and ensure a standardized process for deploying all applications.  Adding mobile apps simply involves extending the familiar process to additional formats, operating systems, and deployment solutions such as mobile device management systems.

For instance, Application Readiness teams have already proven their ability to deal with new formats (application virtualization) and new operating systems (Windows 8). The same teams are also likely to be involved with preparing desktop apps for mobile device access via Citrix (News - Alert)/RDS. So adding mobile apps that can use a single, standardized and consistent Application Readiness process across all enterprise applications, including mobile apps makes sense. Leveraging their knowledge and efficiency translates into greater IT agility and lower cost in maintaining Application Readiness

Even the most innocent mobile apps can pose tremendous risk to organizations unaware of how their design and function can access sensitive data and, potentially, disseminate that data in violation of BYOD policies.  By taking a comprehensive approach to managing the entire enterprise application lifecycle – including mobile apps, organizations can leverage existing staff, expertise and technology to test mobile apps, understand their threat potential, and take appropriate measure.  After all, you’re not really playing Russian roulette if you don’t play with loaded weapons.