There is no denying it; iOS centric security and privacy attacks are on the rise. Call me paranoid but it’s my daily routine on the train each morning to review internal emails on the subject and then read the news to see how my personally identifiable information (PII) is potentially under attack.
Over the years, we have come to trust the Apple App Store and it’s process of approving apps for release. I’ve read the App developer T&Cs for getting your app onto the store and it seems robust and I’ve heard many stories about apps being rejected and pulled for using private API’s or pushing the boundaries. Like any good quality store, you expect the App Store to retail “quality goods”. For example, you can’t turn up to Harrods and demand they stock their shelves with your sub-par products such as toys that’ll fall apart on first use or a fridge that will blast your Gmail details across the internet (wait – sorry that actually did happen, but not at Harrods I have to point out), or a kettle that can be hacked, but that’s another story.
So hat’s off to the App Store team, they’ve approved ~1.5billions apps. But the law of averages says something has to slip through the digital net. The fact things slip through doesn’t mean we should lose all confidence in the App Store’s approval process, but these days, I think ‘belt-and-braces’ is a very good idea.
I was reminded about my ‘belt-and-braces’ approach again this week with the news that SourceDNA had discovered “hundreds” of iOS apps that were collecting your PII. Apple swooped in and removed the Apps (250 of them) sighting “violation of security and privacy guidelines” which of course is great news. However, these apps have been available for download, from your trusted store for “ages” and the estimated number of downloads is 1 million. In the scheme of things that number isn’t huge but that is still more data than I know what to do with and plenty enough data for ‘misadventure’, criminal or otherwise. The actual developers of the 250 apps probably aren’t the nefarious computer geniuses we imagine, working in private to harvest your PII for financial gains. They are more likely professional and well-intentioned developers, publishing apps to the world’s largest user-base of devices.
So how has this come about? They’ve been embroiled in this latest security and PII episode thanks (so it is claimed), to a single advertising SDK developed by Youmi – a version of which compromises parts of your PII. If you are interested in reading the fine details – you can see the detailed analysis here.
So could this be a new mobile threat type? I think it is although I haven’t been able to think of a snappy name yet.This one has grown up over a number of years during which the developers have matured their techniques in making sure their SDK sneaks through the App Store approval process and has steadily gathered pace being deployed in many new apps from many developers. What better way to get your badly developed or deliberately dodgy code into as many apps as possible then to put them into an SDK that grows in popularity. And what type of SDK is ever more important in this new “free app advertising driven” “appcomomy” – you guessed it, advertising. Rather like the recent XcodeGhost exploit, the mobile attack didn’t come from the actual app developer per se; it was the tools used to put the app together that were the problem and the desire to get to market quickly that put your PII at risk. (Don’t even get me started on advertising and how it can burn through your data – that’s a blog for another time.)
At Wandera our “belt-and-braces” is referred to as “multi-level” mobile security meaning we don’t rely on one all encompassing security measure. You need security throughout and that means on and off the device, and all these systems need to work together to give you the best mobile threat prevention. The Wandera SmartWire threat intelligence engine is designed to tackle just this problem using its unique visibility into mobile threats with 600 million data inputs from all over the world working together to implement best of bread security. We don’t treat enterprise and personal data separately, because more and more the two are mixed on the same device and a risk to one will probably expose a risk to the other.
That simple, “free”, advert supported app could have just taken a swipe at your enterprise security measures and might have left a small chink-in-the-armour. Keep going like that and sooner or later a hole will open up and that’s how, over-time leaks and minor breaches like this can build up a profile making your enterprise a potential target. This underscores the importance of protecting against leaking apps.
Apple made some great choices a while back by blocking, for example, MAC addresses and serial number details from developers. Why? Because by comparing the list of serial numbers gathered from one developer to another developer (and-so-on), a third-party could compile a list of the installed apps on a device. That in itself doesn’t sound too terrible but let’s imagine those apps exposed a business advantage or on a personal level a political persuasion or medical condition.
The Youmi SDK was seen to be gathering such information so you can see, with an app footprint of 250 x 1m that’s a lot of unique data that can be cross-examined. Add into the mix an AppleID with an associated corporate email address and now the attack profile is starting to build out very well. That’s the sort of information that can start a targeted phishing attack on your enterprise (some of the most deadly and widespread attacks), let alone leading to pages and pages of spam email clogging up your inbox, costing you $$’s in data-usage to download and is still very much used to spread viruses around the globe at nail-biting speed.
You’ve got to wonder what Youmi were thinking when they sneaked code through the App Store and even if you give them the benefit of the doubt, data like this has a nasty habit of falling into the wrong hands. So please think about your enterprise mobile security again. You might feel good about your “Belt” but I’ve a feeling “braces” are the next big thing.