6

Having rolled out corporate mobile phones and tablets, we have MDM in place enabling us to centrally deploy apps to all our users, and can perform remote wipe in the event of a lost device etc, however in order for the device to be of any real use to users they also need to be able to install apps at their own discretion. While we can monitor which apps are installed using the MDM software, we have no real way of identifying which apps if any present a potential high risk to our corporate data.

For most apps it is very difficult to ascertain:

  • Whether any data is stored remotely 'in the cloud' on a server administered by the app vendor, or whether all data is stored on the device itself;

  • Whether any data sent/received is transmitted securely between the device and any remote locations using a known secure implementation of SSL;

  • The geographic locations and hosting companies where any data is stored or processed remotely, along with any known reputations of data security, local leglistation, active enforcement etc;

  • Whether the app really has been published by the company it says it has been;

  • Which company the source code has been written by, and what their reputation is for secure development and testing?

  • Whether any third party security companies have already analysed the app and given it a particular rating or review?

The attack surface very much becomes a big unknown when we allow users to use mobile apps and app publishers very rarely divulge this kind of information.

To give one example, we have identified a business card scanning app stores its data on servers in the Middle East, which is outside the EU, making use of it in certain circumstances illegal under British data protection law, and if used for business contacts, it could be used for competitive intelligence by authorities in that region where different laws apply.

While its often not legal to reverse engineer software, I can't believe anyone really has time to do this for every app they come across, so there must be a realistic approach that's not based solely on guesswork.

Does anyone know of any hosted services or apps that provide any kind of app assurance checking for third party apps, or a searchable database with this kind of information? While we wish to embrace technology and use the great apps out there for genuine business purposes, we need to ensure we're doing so within the boundaries of the law, contractual compliance etc. How do other information security professionals approach this issue?

richhallstoke
  • 218
  • 1
  • 7

1 Answers1

2

In my department, I am involved in mobile device security, and have looked into a product that does just what you're looking for.

The product that I am familiar with is FireEye Mobile Threat Prevention. https://www.fireeye.com/products/mobile-threat-protection-mobile-security-products.html

I have experienced some of the capabilities of this threat prevention system. It has the capability to scan apps installed on your MDM managed devices and will give the apps a "FireEye Threat Score."

This score is the result of analyzing how the application works on the mobile device, how secure the mobile device encryption, etc. It really does a good job of describing what vulnerabilities are present on any given app in your environment.

This is not only applicable for apps that have been scanned and indexed, it will scan new apps that might be specific to your organization and give you a threat rating.

We tested this product on an app that we were considering implementing, and the report gave us a 5 page report on the following information about the app:

  1. Application Code (Detailed information about weaknesses were present in the application code)
  2. System (Information about how the app interacts with the phone OS)
  3. Phone (Information related to what phone functions the app needs to access)
  4. Location (Info about what location services the app uses)
  5. Settings (Settings on the phone that the app can change)
  6. Internet (internet settings or calls the app makes)
  7. Personal data (personal data that the app might contain)
  8. File System (Changes to the phone file system that this app makes)
Maumee River
  • 384
  • 1
  • 3
  • 1
    This seems like a good solution, but not practical for everyone due to it involving a 1U applicance that needs racking somewhere. I guess I was hoping for an app that could be installed on each device similar to anti-virus software that links through to a vendor operated service where the crunch work is done in the cloud rather than needing a 1U appliance. Once a particular version of a particular app has been analyzed that information could be shared across all endpoint devices rather than having to have every company run it's own analysis of each app. – richhallstoke Jan 30 '15 at 15:14
  • I've since found a much better solution than FireEye, Appthority is a hosted solution that integrates directly with AirWatch or MobileIron MDM and the reports have all the information you could ever need or want to know about how an app operates! No applicance needed and the pricing is affordable. See www.appthority.com for more info. – richhallstoke Mar 06 '15 at 17:19