Mobile App Mistakes May Account for 75% of Mobile Security Breaches

Posted on June 24, 2014

According to Gartner, nearly 2.2 billion smartphones and tablets will be sold to end users in 2014. And it's a good bet that most of them will wind up housing at least some data that belongs to the device owner's employer.

Mobile device configuration errors can create mobile security risks

Principal research analyst Dionisio Zumerle writes in the Gartner report that while security incidents originating from mobile devices are rare, they are increasing. By 2017, he says that 75 percent of mobile security breaches will be the result of mobile application mistakes, largely in the way users configure or set up mobile apps.

"Mobile security breaches are and will continue to be " the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices," Zumerle said. "A classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices."

Jared Hansen, founding CEO of secure mobile printing leader Breezy, agrees that transmitting company data through a public cloud can be costly for businesses of any size. But there are two other common mobile device configuration issues that can lead to data breaches," Hansen adds. One is in allowing mobile app permissions that aren't actually required for the app to operate, and the other is in failing to encrypt data on the mobile device before it is sent.

To do significant damage, malware needs to act on mobile devices that have been altered at an administrative level, or through a connected device (such as a printer or storage network) that has been compromised. "The most obvious platform compromises of this nature are 'jailbreaking' on iOS or 'rooting' on Android devices. They escalate the user's privileges on the device, effectively turning a user into an administrator," Zumerle says.

While these methods allow users to access certain device resources that are normally inaccessible (in fact, in most cases they are performed deliberately by users), they also put data in danger by removing app-specific protections and the safe 'sandbox' provided by the operating system. They can also allow malware to be downloaded to the device and open it up to many kinds of malicious actions, including extraction of enterprise data. 'Rooted' or 'jailbroken' mobile devices also become prone to brute force attacks on passcodes.

The best defense is to keep mobile devices fixed in a safe configuration by means of a mobile device management (MDM) policy, supplemented by app shielding and 'containers' that protect important data. Gartner recommends that IT security leaders follow an MDM/enterprise mobility management baseline for Android and Apple devices including:

IT security leaders also need to use network access control methods to deny enterprise connections for devices that exhibit potentially suspicious activity.

"We also recommend that they favor mobile app reputation services and establish external malware control on content before it is delivered to the mobile device," said Zumerle.

Secure Mobile Printing & Shadow IT

Breezy CEO Hansen notes that survey after survey shows that if employees can't print from their mobile devices, they will engage in behavior that can seriously compromise security such as transferring files to a cloud storage site, or emailing documents outside the network to an unsecured desktop computer (at a business center, for example) where they can be printed.

Another common attempt by employees to solve mobile printing problems results in "shadow IT" that is, the employee reads about or sees an unauthorized app that promises to solve their printing problem, and installs it on a device without IT control or approval. With several thousand printing apps available across the iOS and Android app stores the risks to IT are clear.

Shadow IT in the form of third-party consumer apps is the Achilles heel of many mobile deployments. Fewer than 1 in 10 mobile device users know that there are malware apps that don't attack the infected device, but lie in wait to attack other computers or networks to which the device subsequently connects. Even fewer, about 1 in 10,000, realize that many mobile apps are designed with risky behaviors as a core part of the app.

According to Network World , at least 80% of mobile apps have security and privacy issues designed into the app. Some apps request permissions that aren't used by the app, creating a security holes that hackers can exploit to steal unencrypted data.

Unmanaged mobile apps can often:

Network World reports that 96% of iOS apps and 84% of Android apps can access at least
one of these data risk categories.

For more information on secure mobile printing, watch this video from Breezy, or download The Definitive Guide to Mobile Printing, a free ebook from Breezy.

Easy to deploy and manage

Customers report that Breezy installations are among the easiest they’ve ever seen for an enterprise product.