Dead and stale apps are putting sensitive corporate data at risk through not only big data breaches but also persistent low level leaks, according to a report from Appthority.
In the ‘Enterprise Mobile Threat Report Q1-2015', Appthority describes dead apps as application software for mobile devices that have been removed from the storefront from which the consumer downloaded it. It said that there is currently no mechanism on Google Play, the Apple App Store or the Microsoft Windows Store to notify consumers that their apps are no longer supported.
“Despite the fact that Apple and Google have taken significant steps to be more open in the past years, there is still little to no transparency when it comes to the number of apps being revoked from the app stores post release, nor the reasons why the apps were removed,” the report said. “This leaves users who have downloaded the revoked apps in limbo, with lack of any visibility or direction.”
According to Appthority, 5.2 percent of iOS apps installed on enterprise mobile devices are dead, with a comparable figure of 3.9 percent for Android apps.
Another concern is apps that have not been updated to the latest version. So-called stale apps account for 37.3 percent of iOS apps on enterprise mobiles and 31.8 percent for Android.
Appthority said it analysed hundreds of thousands of apps on enterprise-managed devices and found 100 percent of enterprises in the survey had dead apps installed on their devices.
The fact that apps are no longer available not only means that they are no longer being updated for bugs and security fixes but in some cases, the related domains may have expired, leaving the door open to attackers to take over the domains and offer fake updates and content.
The risk from mobiles is not only to the enterprise infrastructure, according to Appthority, but also at a lower level in the form of “death by a thousand data leaks”. While the main concern for big organisations has traditionally focused on preventing the one big data breach, resulting in the exfiltration of email archives or financial data, Appthority points out that similar results can be achieved over longer time frames through individual mobile devices.
As these devices hold sensitive data from time to time – including emails, financial data and valuable contacts – the consequences can be just as bad. By profiling the sales team, for example, a hacker could steal a company's client list and details of confidential transactions.
“Our findings confirm that these concerns were valid with regard to consumer apps. They can expose corporate information on a device, which increases the exposure risk surface. Phone records, calendars, email addresses and more are accessed and shared with third parties by most consumer apps,” the report said.
Matt White, senior manager in KPMG's cyber-security practice talking to SCMagazineUK.com said: "The security problems associated with ‘dead apps' and ‘stale apps' are not a phenomenon only seen in mobile devices. The issue of ‘legacy applications' – software that is no longer sold, supported or not the current available version – has been a potential risk in information security for many years, with arguably the most recent notable example being that of Microsoft ceasing support for Windows XP in 2014, with an estimated 30 percent of Windows users at the time still using the outdated software.”
White believes that with the rising consumer uptake of mobile apps, the problem is not going to go away. “But before highlighting failings in notifications from vendor application stores or trying to find a solution, it would be interesting to find out the reasons for the statistics highlighted in the report. The potential risks of security flawed and unsupported applications are genuine, so why are we seeing the numbers so high? Is it lack of awareness, apathy or due to a conscious and strategic decisions within the enterprise?”