The Security Risk is Real, How We Know
Is there really a difference between companies collecting data through mobile apps and cybercriminals stealing it, or have the lines become too blurred? To cybercriminals, sensitive data is a gateway to profit and power, regardless of where they get it. They compromise mobile apps to sell stolen information, commit identity theft, or use that information to launch larger attacks. For companies, data represents opportunity—insights that drive decision-making, personalized experiences, and targeted marketing on mobile devices.
Today, mobile apps and the data they collect are highly sought after by various groups—businesses optimizing ad targeting, cybercriminals exposing vulnerabilities, and nation-state actors trying to target adversaries. Despite the differing goals, mobile apps share a common risk to data security and privacy.
Currently, this is a reality that many individuals and corporations are ill-prepared to contend with. For example, while compliance and security training are common, these current programs rarely focus on mobile devices and apps and don’t offer practical strategies and tactics for securing them.
We work with some of the largest businesses and government agencies around the world. Through our solutions and services, Quokka has amassed a wealth of intelligence around the types of risky apps that keep making it onto user devices. We’ve scanned millions of apps and discovered hundreds of thousands of privacy and security vulnerabilities. This provides us with an unrivaled perspective with which to assess threats in the mobile landscape.
Eight Types of Risky Mobile Apps
Here are the eight most common types of risky mobile apps that we continue to see exposing individuals and businesses.
#1. Overprivileged Apps
Either due to profit motives, oversight during the development phase, or malicious intent, many apps attempt to gain far more privileges than they actually need to deliver their purported functionality. Examples of this could include a networking app repeatedly asking to access a user’s contacts or a fitness app trying to access a device’s microphone.
#2. Colluding Apps
On their own, these apps may appear to be benign. However, it is the collusion with other apps on a device that may pose significant risk. These apps may “piggyback” on existing applications, or they may be crafted by splitting functionality into separate components that are ultimately deployed on the same device, and then work in tandem.
For example, one app may have access to contacts, another may access location data. While on their own, they may not pose as grave a threat, if they coordinate and exfiltrate their respective data and send it to a single entity, they can pursue a range of nefarious actions.
These types of apps are difficult to spot, making them one of the most dangerous categories of apps. Plus, the more apps installed on a given device, the higher the probability and complexity that some dangerous combination of apps may be present.
#3. Harvester Apps
These apps look to extract data and intelligence from a mobile device, often without the user’s knowledge, let alone approval. Most are not always built with privacy in mind, while they can appear benign, the real risk lies in the sheer volume of data they collect and the unknown third-parties they share that information with. It becomes a significant concern for organizations that must meet higher security and compliance risks. Social media apps are a great example of apps that use this intelligence to sell ad targeting.
#4. Sloppy Apps
The developers of these apps don’t follow a secure code development approach. Developers may include passwords directly in the code, use third-party libraries without thorough vetting, or release apps without sufficient testing. The lack of a secure coding approach can leave devices exposed to vulnerabilities, potentially leading to data theft or misuse—posing serious risks to organizations with stringent security requirements.
#5. Leaky Apps
These apps leak private information and the numbers of these problem apps are growing more plentiful by the day. In some cases, data leakage may be unintentional. This could be because the app developer doesn’t secure network transmissions or stored data adequately on devices.
For example, an app may offer users a service for filtering spam calls. In order to deliver this type of service, the app would need to be logging calls and sending call details and text data back to a central service. This central service may be exposed to some sophisticated multi-vector attacks, it may have weak encryption or vulnerable cryptographic keys, or it may not be secured at all.
#6. Shifty Apps
These are apps that modify their behavior to evade detection or scrutiny. One example of this shiftiness was an app that offered access to pirated versions of movies. The app store vendors caught wind of this app and promptly removed it from their stores. Then the app provider delivered what was purported to be a cooking app. However, after it had been downloaded and installed, the app was modified via an update, and began to offer the same illegal movie streaming service that had been blocked previously. While this functionality can be uncovered by deep analysis, it may be able to evade initial detection.
#7. Chatty Apps
These apps typically employ SMS to expose sensitive data in some way. The app may leak call logs. For example, the app may transmit them or store them insecurely. This can potentially expose confidential information or user privacy.
#8. Sticky Apps
These apps can needlessly drain the battery and other resources of a mobile device, potentially running constantly in the background and even collecting and sending data to an external source. This can be due to the fact they’re not following proper security and development practices.
Challenges
Whether you develop apps in-house, for your business, or rely on mobile to run your operations, understanding the risks and challenges associated with mobile threats is essential for safeguarding sensitive data, maintaining business continuity, and ensuring compliance with security regulations.
For app providers and security teams in corporations and government agencies, navigating today’s modern mobile ecosystem poses many challenges:
- Detecting and preventing supply chain risk. Many apps are built using managed frameworks and third-party libraries to speed up development. However, this can expose the code to vulnerabilities and increase the risk of supply chain attacks that impact the security and privacy of the workforce and its organization.
- Keeping pace with constant code change. Agile and CI/CD development approaches mean apps are frequently updated, introducing new risks with each release. Even trusted apps can become vulnerable if unvetted third-party code is used. This constant change poses a significant challenge for businesses as they must continuously monitor for new threats and ensure compliance with security standards.
- Contending with diminished visibility and control in cloud and SaaS environments. With expanded use of SaaS apps, security teams often lack control or visibility over which devices are accessing corporate resources like email, CRM, or ERP systems. This lack of visibility increases security risks and makes it harder to enforce necessary controls.
- Balancing user convenience and productivity with security. Striking the right balance between security and usability is critical. If security measures are too complex or time-consuming, employees may bypass them, reducing productivity and undermining overall security efforts.
- Balancing central security with privacy. While enforcing visibility and management is crucial for protecting corporate data, overstepping into employee privacy can create business risk. If employees feel their personal activities, such as using a dating app on a personal device, are being monitored, it can erode trust and lead to lower adoption rates, reduce productivity and even introduce potential legal or compliance issues. Striking the right balance is essential to maintaining security without compromising employee privacy or trust.
Guidance & Considerations
For Security Teams in Enterprises and Government Agencies
User Education
End user training is vital…
User education is an essential part of security. More than ever, training must focus on mobile-specific threats, risky apps, and user behaviors. For example, sideloading is a risky behavior that is often overlooked by users to enhance functionality or gain access to apps outside of sanctioned app stores. Employees should be taught where to download apps, which ones to avoid, how to review permissions, and how to recognize warning signs of potential threats. The training should be tailored to the employee, underscoring how their data can be exposed and the personal impact it can have. It should also be aligned with their specific roles, risks, apps, and actions they need to take to stay secure. By empowering employees with this knowledge, organizations can reduce exposure and strengthen their overall security posture.
End user training isn’t enough on its own.
While end user training is vital, it isn’t enough. Here are a few reasons:
- Security is complex and constantly evolving. It is difficult for any user to keep up with the right configurations, current patches, and upgrades. It can be impossible for a user to determine the app safety based on app store information alone. That doesn’t even account for the IT admin that has to review and approve hundreds of apps for their workforce in a timely manner.
- Security isn’t the user’s focus. In general, most employees are focused on their core responsibilities of getting their jobs done; most don’t have security in their job descriptions.
- Humans make errors and have oversights. We see people, even in technology professions where they have been trained on required security practices, occasionally do not follow the best security practices.
App Vetting
App vetting is essential to ensure that apps running on employees’ mobile devices meet security and privacy compliance standards. But manual vetting processes are time-consuming, prone to human error, and struggle to keep pace with the rapid updates and releases in the mobile app ecosystem. Given the nature of colluding and evolving apps, this job gets even tougher. There are an infinite number of permutations of apps and app versions that may reside on a user’s device at any given time.
By leveraging an automated app vetting solution powered by Contextual Mobile Security Intelligence, organizations can strengthen their security posture, reduce the risk of mobile app threats and ensure compliance without overburdening their security teams.
For App Developers
For app developers, it is vital to implement security controls and practices throughout the software development lifecycle (SDLC). Security approaches must be aligned with addressing threats and continually adapting defenses as those threats and the code itself continue to evolve. From vetting libraries early in development through to post-production testing, security needs to be an integral part of the process. Here are some vital techniques that teams need to employ:
- Multi-layered analysis. The only way to be sure about the security of an app is to do a combination of static, dynamic, and interactive behavioral analysis. Security teams need to establish layered defenses, analyze them, and then remediate any vulnerabilities.
- Penetration testing. Penetration testing represents an important mechanism for validating the security controls in place and identifying potential vulnerabilities. With CI/CD approaches in place, development teams may be releasing weekly or even more frequently. While teams may not be able to do penetration testing weekly, they still need to do so routinely.
- App testing. Technologies like runtime application self-protection (RASP) can provide important safeguards. With these controls, teams can detect and thwart attacks while apps are running.
How Quokka Can Help
There is no shortage of mobile apps that can jeopardize user and corporate assets. With Quokka solutions, security teams can get in front of these pervasive threats. Quokka delivers the security visibility and actionable insights needed to protect an organization from zero-day mobile vulnerabilities and exploits. Powered by Contextual Mobile Security Intelligence, organizations can gain an accurate understanding of risks, so they can make data-driven decisions about how to proactively secure the mobile ecosystem..
Q-scout uncovers security and privacy risks posed by mobile apps, identifying malicious, colluding and vulnerable apps on employees’ devices in BYOD (bring your own device) or COPE (corporate-owned personally-enabled) environments. It provides real-time insights into mobile threats, ensuring your workforce stays protected without compromising privacy. Q-scout integrates with MDM solutions and provides security teams with the mobile app intelligence necessary to make risk-based decisions on which mobile apps end users can have installed while still accessing corporate data.
Q-mast integrates automated security testing into your CI/CD pipeline, quickly identifying vulnerabilities and weaknesses in code with comprehensive static (SAST), dynamic (DAST), interactive (IAST) and forced-path execution app analysis . Q-mast pinpoints exactly where code issues lie, ensuring higher t privacy & security standards, including NIAP, NIST, OWASP MASVS.
To learn more about how Quokka can help protect your organization from the growing mobile app risks, request a demo. To learn more about the evolving mobile app security landscape, be sure to watch our webcast, “8 ways attackers target mobile apps to steal your data (and how to stop them).”
