Introduction

It was a particularly tumultuous year for mobile security teams, which were faced with a number of hair-raising incidents. Popular gaming apps were used as a platform to launch sophisticated phishing attacks. The official app stores failed to identify several advanced attack techniques and, ultimately, were responsible for distributing malicious apps. A series of iOS vulnerabilities were discovered, affecting Apple’s FaceTime and iMessage apps. And hackers were able to exploit a remote vulnerability in WhatsApp to install spyware, putting more than a billion users at risk.

As organizations fight to secure their valuable data against an ever-growing range of threats, fears of data breaches and increasing regulations around data security and privacy are keeping CISOs up at night. In 2019, high-profile breaches continued to capture public attention, with data leaks coming from household names including Capital One, Zinga, Houzz, Quest Diagnostics, and Dubsmash.

Everybody is waiting for a major breach to happen on a mobile device. The reality is that mobile devices — just like all other enterprise endpoints — are where attacks often start, but rarely where they end. Mobile devices expose data “bread crumbs” (such as login credentials) that can lead hackers to data jackpots. While having login credentials exposed is a concern, the real concern is how these credentials can then be used by a bad actor to gain access to confidential information stored elsewhere.

This report aims to help you understand which threats you need to worry about by examining key security trends and data from organizations that have embraced mobile computing. The key trends we’ve identified concern: app store security, malware, vulnerabilities, phishing attacks, and data privacy.

Our analysis includes data from Wandera’s global network of 425 million sensors, and represents both corporate-owned and BYOD assets, making it the world’s largest and most insightful mobile dataset. With Wandera’s unique architecture, this annual report is the most comprehensive look at the risks facing remote workers and mobile-enabled businesses today.

Trend One

App stores aren’t providing reliable security checks

App vetting is a laborious task, but a necessary one. Malicious apps are increasingly using clever techniques to evade detection. For example, more sophisticated malware will wait a certain number of days before initiating malicious behavior, will only behave badly on a certain network, or they will contain dormant command-and-control code that can be activated by a hacker at any time. Basic checks — such as those performed by the app stores to ensure that apps are performant and adhere to the latest resolution guidelines or user interaction standards — will not catch truly malicious apps.

The official app stores

Apple and Google seem to have reached their limits in terms of how far their existing app vetting tools can scale. Currently, app store security checks focus on high-level usability factors. For example: ‘Does the app do what it says on the box?” ; ‘Is the user experience good?’

As a result, thorough security assessments can fall by the wayside. Apple has acknowledged that it needs to update its screening tools to better detect suspicious applications moving forward. Meanwhile, Google announced its new App Defense Alliance, aimed at improving the security of the Play Store by bringing in security partners to help detect potentially harmful apps.

Until the official app stores can bring more rigor to their security reviews, organizations need to acknowledge that there are risks on the official stores and start taking steps to protect employee devices. Simple measures like only downloading trusted apps and doing your own application vetting is a good place to start.

Third-party app stores

While the App Store and Play Store remain the two largest distribution channels for mobile apps, there’s a big, bad underworld of third-party app stores and apps that exist outside of these two major players. In fact, there are more than 300 app stores worldwide, and that number continues to grow.

While some iOS users may intentionally jailbreak their mobile devices to install security enhancements, most users do it to install applications that aren’t available on the official app stores. It is also possible to install third-party apps without the device being jailbroken; this is a process referred to as sideloading apps. All the user needs to do is configure the device to trust a specific developer and they can then install any app from that developer without going through the app store. This is how a lot of companies install apps for their employees without publishing those apps on the App Store.

Google does not lock down the Android OS as much as Apple does with iOS. While Android’s default configuration does not allow sideloaded apps, it is possible to change settings to allow apps from third-party sources. According to our data, one in five Android users have their devices configured to allow third-party app installs

Sideloaded apps

Users that sideload apps face increased security risks because the application review process enforced by Apple and Google on their official app stores is bypassed and, thus, the device has less protection against inadvertently installed malware.

The number of iOS devices with a sideloaded app installed rose significantly in 2019, up from 3.4% in 2018. The increasing use of BYOD in the workplace is likely to blame because users in that scenario have more control over their devices. Developer certificates also present a risk, and so do jailbreaks. These are both reduced when devices are under management, as companies are able to ensure consistent configuration over time.

Top sideloaded app categories:

  • Games
  • Entertainment
  • Social Media
  • Third-party app stores

Recommendations for effectively managing mobile app risk

Acknowledging that official app distribution channels are not running comprehensive security checks is an important first step; it enables organizations and users to take a more proactive and thoughtful approach to selecting applications. However, app vetting can be a challenge for organizations to adopt because it’s difficult to scale, particularly for larger organizations and those where BYOD and personally enabled corporate devices are in the mix. The best way to manage the problem is to implement a mobile security solution that includes an app vetting component that is coupled with automation and policy enforcement capabilities. This ensures a continuous evaluation of not only apps, but device and user behavior as well. Any time an app exceeds the tolerable risk, action can be taken.