App stores open the door to security vulnerabilities

Securus Global
By Chris Williams*
Thursday, 21 January, 2016


App stores open the door to security vulnerabilities

App store owners need to take a much closer look at the security they provide and the vetting they carry out on apps if mobile apps are not to become even more of a vector for security threats than they already are.

Although Apple pays lip service to vetting each app that goes into its store, it also recently had to pull 250 apps that were sending back personal information to central servers somewhere in China, indicating that its oversight is not perfect. The situation with Android is no better — Google does little to vet or have oversight of the apps lodged in its Play Store, making it a vector for malware and other security vulnerabilities.

It’s made worse by Android’s vulnerability to security problems. A recent study found that 87% of Android phones (which make up the majority of the world’s phone ecosystem, ahead of iOS) were vulnerable to known security flaws.

Both stores, therefore, are a vector for potential security threats that could wind up compromising corporate networks. This is because of the current trend towards allowing staff to bring their own device into the office and connect to the office network.

Typically this connection is automatic after the first sign-on as the device will pick up the local Wi-Fi network. Once the device is on the local network, it’s a step away from being able to connect to the deeper corporate networks the Wi-Fi is linked to.

The problem IT managers have is that their employees are demanding access to their own devices, and also the convenience of connecting to their corporate data via Wi-Fi. Yet those same IT managers have very little say in how the devices are used or control over the apps that are downloaded onto them.

The current app store situation is a vector for malware to be accidentally loaded onto a user’s device, and then connect to the corporate network. Hackers could then take control of the device, or access the data streams it is sending back, using those streams for clues that would permit them to further penetrate corporate networks.

And that’s to say nothing about the corporate information kept on the device itself. Initiatives such as Google at Work and the burgeoning mobile device management (MDM) software industry go some way to providing an answer to the problem, but it’s not an answer for malware that has been specifically designed to bypass security restrictions on the device.

So what’s the answer? For one, Google needs to more heavily curate the apps being uploaded to its Play Store. The days of it being a free-for-all need to end. Network managers also need to make sure that robust mobile device management software is installed on the devices they are allowing to connect to their Wi-Fi and corporate networks. And most of all, any connection between the Wi-Fi and other corporate networks must be heavily policed and locked down.

*Chris Williams is Chief Executive Officer at Securus Global. He is responsible for the business across a number of online security segments including penetration testing, threat and vulnerability management, PCI auditing as well as governance, risk and compliance.

Image courtesy Doug Belshaw under CC

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd