The number of 'blacklisted' malicious apps have declined in 2019 compared to 2018. However, this isn’t necessarily good news for enterprise security teams, warns RiskIQ researchers. Mobile apps continue to form a "significant portion" of the enterprise attack surface, states its Mobile Threat Landscape report.
The data sourced from more than 120 app stores as well as close on two billion web resources show an 18 percent growth in the global mobile app landscape. However, there was a 76 percent decline in apps that were blacklisted by app stores in 2019.
"Although mobile apps help drive business, the app landscape is a significant portion of an enterprise's overall attack surface that exists beyond the firewall, where security teams often suffer from a critical lack of visibility," said report author Jordan Herman.
It is this visibility gap that threat actors seek to expose and exploit with malicious apps that often mimic well-known brands. While such rogue apps occasionally break through the defences in place that protect the Apple App Store and Google Play, it's the app stores of ill-repute that are more problematic.
Many of these apps are found in stores hosted in countries known for cyber-crime, such as China, or outside of stores altogether on the open web, noted Herman. Referred to as feral apps in the report, these can be a particular thorn in the side of the CISO and form part of the enterprise attack surface. The RiskIQ research identified 12,079 such feral apps in 2019.
"Feral apps pose a significant threat to enterprises, especially with the proliferation of mobile devices and their increased role in business, often carrying sensitive intellectual property or client data," Michael Barragry, operations lead at edgescan, told SC Media UK.
Such apps can act as a "pivot point" for further attacks or can be actively "sniffing and exfiltrating data," Barragry says. This should come as no great surprise, pointed out Tom Venables, SAP security architect at Turnkey.
"Mobile devices are playing an increasing role in an enterprise’s IT landscape, from traditional desktop applications moving to mobile-enabled functionality and the use of SIM-based authentication, there is no doubting that personal devices represent a growing threat vector to the security of IT assets and information," Venables told SC Media UK.
Why would employees download feral apps in the first place? "If they are doing it without sanction, then you should detect that and flag for investigation," said Marco Rottigni, chief technical security officer at Qualys .
"If they are doing it to do their jobs, then there is a bigger question to answer on whether they have what they need," he told SC Media UK.
Not all apps are intentionally feral, but seemingly safe applications can sometimes install other advanced malware by default; posing a threat to those businesses that lack sufficient application visibility, warned Steve Mulhearn, director of enhanced technologies UKI & DACH for Fortinet.
So is mitigation against the feral app threat to the enterprise all about visibility, visibility and more visibility?
"Getting effective, real-time insight into what is taking place across all your IT is the only route to protecting against this kind of threat," said Rottigni. "I’m convinced the most dangerous phrase in the English language is ‘I didn’t think it would be a problem’."
Asset management is the key, he said. "Once accurate visibility is in place, we instantly become aware of feral apps being downloaded and installed, upon which enforcement or otherwise remediation can be organised quickly."
Will LaSala, senior director of global solutions and a security evangelist at OneSpan, recommends enterprises take a zero-trust approach on all mobile devices. It was proven time and again that relying on Google or Apple to 'catch all the threats' and keep devices safe is not a great posture for any enterprise.
"One way to protect your app if you are distributing the app through other methodologies is to use technology like app-shielding to protect apps from a hostile environment where malware and other problems can be had," LaSala said.
Winston Bond, technical director (EMEA) at Arxan, noted that as it's all but impossible for an enterprise to police the apps on employee devices. “A strategy based on self defence is more realistic," he said. According to him, developers of sensitive apps should make sure that they include their own integrity checks, to make sure that the app that runs is the same as the app they built.
"In some cases, the financial sector is already somewhat ahead of jailbreak and root detection bypassing community, by implementing code that prevents applications from being reverse engineered," Paul Stewart, security consultant at Pen Test Partners, told SC Media UK.
It's often difficult for smaller organisations to control where their applications are installed, Stewart admitted. He explained how some organisations have resorted to implementing Runtime Application Self-Protection code to prevent the user from running the app or tampering with it on a rooted device. "Some financial applications also verify the device on which the application is installed," Stewart adds.
However, ultimately, protecting user data is key to deterring malicious actors. Stewart advises enterprises should: Use a trusted authentication system; Implement regular session token refreshing and expiry routines; Employ strict permissions on user access to the API; Use fingerprint or facial recognition, or other multi-factor authentication.