Don't let that app stab you in the back

By on
Don't let that app stab you in the back

Mobile apps put businesses' security at risk.

Apps, as much as the touch screen or slick user interface, are behind the popularity of the iPhone and iPad. A lack of apps, or at least the perception that there are fewer apps available for download, is hampering the take up of mobile phones based on Microsoft's technologies and on Symbian.

To win in the smartphone business, a vibrant applications market is a must.

But not all apps are exactly what they seem. Even seemingly harmless applications, downloaded from tightly regulated environments such as Apple's own App Store, can pose security risks.

The risk of a smartphone or tablet app containing malware – like a Trojan that sniffs out sensitive data such as passwords – is clear. And some research suggests that as many as 47 per cent of Android apps, for example, access third-party data.

However, an app does not have to be malicious to cause problems. Some apps exploit users' data for commercial, not criminal reasons: more of a privacy problem, than a security issue. Others are simply buggy and crash the phone.

Another risk altogether stems from the way apps work – or do not work – with the users' existing security settings. As Peter Wood, of the security advisory body ISACA points out, even friendly apps might require users to accept a lower level of security, such as a simpler password, than the web-based equivalent. In some cases even large brands are forcing their customers to downgrade their security settings, in order to enjoy the convenience of an app, rather than a browser interface.

This is dangerous because a mobile device is, by definition, used out of the office and so more vulnerable to loss or theft. And it could also encourage employees to use weaker credentials for business applications, or argue against company mandates for measures such as two-factor authentication. After all, if a simple PIN is good enough for the grocery shopping, isn't it enough for everything else too?

Businesses might not even know which apps their staff use, especially if they have opted to allow personal downloads from legitimate online apps stores, or allow staff to bring their own smartphones or tablets to work.

What's more there is little in the way of standards governing how mobile apps authenticate their users. A lack of input from security professionals into the design of smartphone apps is also part of the issue. Often, app designers appear to put convenience ahead of security or, for whatever reason, assume that customers will accept a lower level of security than they do on the web, simply because they are using an app.

Similar concerns surround apps that store data – possibly including passwords – locally, or even those that grant users automatic log-ins to services, as long as they have logged into the device itself.

Think that is far fetched? That is exactly how the official BlackBerry Facebook app works, and the BlackBerry remains the most secure of all the mobile platforms.

Banning all apps is unlikely to be popular, or even practical. So IT professionals need to act to educate their colleagues, and explain that even a good app can misbehave – if you let it.

This article originally appeared at

Copyright © ITPro, Dennis Publishing

Most Read Articles

Log In

|  Forgot your password?