What IT doesn't know about mobile apps can hurt the enterprise

Ubiquitous in the workplace, mobile devices vastly increase employee productivity, connectivity and their ability to collaborate. Employees can easily access corporate networks and sensitive enterprise data with a mere swipe -- whether they are bringing their own device (BYOD) or via a corporate-issued device. At the same time, mobile devices present significant privacy and security challenges for organizations.

Employees commonly install personal apps on devices they also use for work. Often, employees don’t think twice about whether an app they’re using could potentially expose their corporate network to risk. In fact, an alarming percentage of mobile apps used within the enterprise are able to access sensitive device functions, or otherwise exhibit behavior that may pose security risks to the organization and violate its BYOD policies. Without understanding what these apps do, organizations are playing Russian roulette with their security.

It may seem far-fetched that a seemingly innocuous consumer app could have a major impact on an organization's security, but the dangers are more rampant than you may think. In the United States, a Federal Trade Commission lawsuit revealed that a flashlight app maker was illegally transmitting users’ precise locations and unique device identifiers to third parties, including advertising networks. And the Environmental Protection Agency (EPA) faced embarrassment when an employee using a Kim Kardashian Hollywood app tweeted out to the agency’s 52,000 Twitter followers, "I’m now a C-List celebrity in Kim Kardashian: Hollywood. Come join me and become famous too by playing on iPhone!" That employee was using the Kardashian app on her mobile phone and didn’t realize that the app had the ability to automatically access the phone’s Twitter account and tweet out messages when certain game thresholds were reached. Unfortunately for the EPA, her phone was configured to use the EPA’s official Twitter account, not the employee’s.

These examples show that mobile app security risk is not just limited to malevolent hackers and unfriendly governments. Threats to corporate data and reputation can be hidden in the most seemingly harmless apps, and can be unleashed on an organization by the most well-intentioned employee. Because of these hidden possibilities, enterprises must understand the risky behaviors associated with mobile apps that could compromise data security.

These everyday apps on an employee’s mobile device could serve as that unexpected bullet in the chamber. Mobile operating systems include application programming interfaces that allow apps to access potentially confidential, proprietary or sensitive data. Examples include contact lists with customer details, photos with proprietary location sites or whiteboards with confidential data, and calendars with sensitive appointments. In addition, apps could access corporate social media accounts on the device as well as built-in hardware features like GPS, camera, audio recorder, etc. In fact, many apps have undocumented features that could be used for malicious or harmful purposes. For example, a study from Flexera Software found that 88 percent of iOS dating apps tested, including Grindr, OKCupid and Tinder, are capable of accessing a device’s location services. Sharing location data could be a serious problem, especially when doing so with third parties could violate laws, regulations or company policies.

It is, therefore, necessary for CIOs and CSOs to fully understand what mobile apps on employees’ devices can do -- what data, features and functions they can access -- and then determine whether this behavior is acceptable based on the organization’s BYOD policy. Testing mobile apps to discover their behavior and risks should be part of any organization's centralized Application Readiness processes.

By adopting these processes, organizations can ensure the necessary tools are in place so IT can reliably test, package and deploy apps into the enterprise. Through Application Readiness, IT teams can gain essential insights into mobile app behavior. For example, IT can leverage application reputation scanning, which examines an app’s properties, to determine if the mobile device features that the app uses violates the company’s BYOD and privacy policies. By doing so, IT can use these findings to establish policies that define which behaviors are risky.

Even the most innocent mobile apps can pose tremendous risk to organizations unaware of how their design and function can access sensitive data and, potentially, share that data in violation of BYOD policies. Ultimately, it is the responsibility of IT teams to understand what popular mobile apps their employees are letting onto corporate and BYOD devices, and understand what risks those apps present. With Application Readiness processes, they can fully identify and effectively manage risky mobile apps. As a result, employees can then use authorized apps with confidence, knowing they’ve been thoroughly vetted, and IT will have even greater confidence that danger has been averted by avoiding apps that exhibit risky behaviors.

Image Credit: talitha_it/Shutterstock

Maureen Polte is Vice President of Product Management, Flexera Software