Unsanctioned software and applications running on corporate mobile devices is a security nightmare. These can range from meeting genuine business needs—commonly referred to as Shadow IT—such as efficient, remote communication with colleagues or corporate document management via downloadable messaging and file sharing apps, to using apps for non-work-related lifestyle or entertainment purposes such as socializing, fitness, gaming, and watching sports.
“Unmanaged, personal apps on corporate devices introduce numerous vectors and vulnerabilities for exploitation, including avenues for data exfiltration, cyberattack, surveillance of employee activity from a malicious third party, and so many other things that we see as potential risks to organizations,” Steve Turner, security and risk analyst at Forrester, tells CSO. “These apps aren’t vetted by the organization and can expose employees to a variety of different data, privacy, and other policies that they’ve inadvertently agreed to by downloading and using them.”
The risks posed to businesses by unsolicited apps have intensified since the outbreak of the COVID-19 pandemic and subsequent move to mass remote working, says Kelvin Murray, senior threat researcher at Webroot. “With fewer face-to-face meetings and interactions, employees are looking for new methods to communicate without the formality of an email or Teams call,” he says. “However, with new attack tactics, exploits, and tools emerging through unsolicited apps, mobile devices and apps have never posed as great a threat to organizations as they do now.”
Murray says users tend to disbelieve that cybercriminals will target them, but these apps often request a lot of access to personal information or integration with privileged accounts. “They can be quite effective threat vectors for cunning attackers.”
Popular attacks on mobile devices include remote access Trojans (RATs) and man-in-the-middle (MITM) attacks for accessing user data or eavesdropping, ransomware for restricting access to devices, and fake certificates for side-loading malicious apps, adds Dominic Grunden, CISO at financial service platform Wave Money.
Seemingly genuine and trustworthy apps and app stores can be anything but. For example, Turner alludes to applications posing as one thing and approved onto Apple’s and Google’s walled store gardens that end up being something much more malicious, such as some calculator apps in fact being file transfer mechanisms.
Likewise, it’s not unheard of for trusted app stores such as Google Play to contain apps riddled with malware, points out principal research analyst at the Information Security Forum (ISF), Paul Holland. Even the legitimate TikTok app was caught out last year for capturing copy buffer data from Apple devices when it shouldn’t have been, adds Murray. While the social networking service has since stopped capturing such data, it is an example of the hidden risks potentially posed by such apps if not carefully vetted.
Most concerning of all, new cloud threat research from Netskope discovered that 97% of cloud apps used in the enterprise are unmanaged and often freely adopted. Businesses clearly need to be doing much more to vet which apps employees use on work devices.
So, what unauthorized app types should be highest on a CISO’s risk list and why? Here’s what security experts say.
1. Social media and messaging apps
Probably the most commonly found app types on company-owned devices, social media and messaging apps can cause significant security and privacy headaches for security leaders. “Social media apps have been guilty of tracking what you do across your device, websites you visit, locations you go to, and so much more,” warns Turner. Grunden concurs, citing the likes of Facebook, which is known to have suffered from security holes and vulnerabilities, privacy troubles, and confidential information leaks in the past.
“I also wouldn’t want to see social media apps from outside of the countries that my company is doing business in,” says Turner. “Apps from other countries on a device opens up the doorway/pathway for violating privacy and data retention laws and regulations as they could be potentially utilized for conducting business, malicious insiders exfiltrating data, or malicious actors using the apps to exfiltrate data or compromise a device via a backdoor or zero day.”
Turner notes that some countries require everything to go through the central government. “Is it worth exposing your company’s device to those risks when they don’t even do business in that country?” he asks.
China-based apps are a particular concern for Grunden. “There is not much that needs to be said regarding the inherent security and cyber risk there as apps developed and sourced out of China tend to have backdoors, malicious code, and [they] expose an enterprise’s sensitive data.”
Regarding the security issues surrounding messaging apps, a prevalent issue is that popular services such as WhatsApp, Signal, and Telegram are vendor-hosted, centralized consumer-grade apps. “That means employees’ work-related discussions are sucked onto the app’s servers, leaving the company with no control over how its data is stored or managed and potentially subject to data mining and exfiltration,” says Amandine Le Pape, co-founder of Matrix.org., a not-for-profit open-source project working towards a decentralized IP messaging and VoIP ecosystem for the internet. “Moreover, there’s no formalized moderation and no way to ensure discussion groups are inclusive or contain all relevant parties. Worse, there’s no control around deprovisioning someone who leaves the organization nor auditing, which leads to unaccountable decision-making.”
Security leaders should indeed be concerned if employees are conducting business via consumer- rather than enterprise-grade collaboration and messaging apps, something the UK’s Financial Conduct Authority warned against in January this year.
2. Remote access and cloud storage apps
Amid the migration to mass remote working over the last 18 months, use of remote access and cloud storage applications has grown significantly as organizations and employees have sought out new ways to work securely and efficiently. However, Turner warns of the risks such tools pose to organizations if they find their way onto corporate devices. “I’d never want to find any kind of alternative remote access or cloud storage solution installed on my corporate devices. That just screams data exfiltration,” he tells CSO.
Unwarranted remote access apps can redirect all network traffic on a device to an unknown server/VPN/remote access infrastructure where all company app traffic is now flowing and potentially being collected or analyzed by a third party. “Whether it’s credentials, authentication tokens, etc., it’s all up for grabs in that scenario,” Turner says.
Likewise, alternative cloud storage solutions can be configured to automatically backup files, photos, and other data on your device to them. “If your job is work with files and photos locally on your device, this is another scenario where data can purposely or inadvertently be stored elsewhere, not protected by your company’s security solutions,” Turner explains. Those same apps can be used by attackers and configured to their own accounts to get a copy of the data you’re working with on your device. “All this exposes organizations to potential compromise and data breach incidents by harvesting credentials, sensitive data being exfiltrated and stored improperly, etc.”
These risks will continue to increase for many reasons if unchecked, says Grunden, including ongoing remote working and the vast utilization of apps like Office 365 or Dropbox to share information within organizations, among partners and with customers.
3. Security tool apps
It is possible, on some Windows 10 machines, to download software from the Microsoft Store without the need for administrator privileges, points out Holland. This creates the risk of installing and using unauthorized, sophisticated security tools that should only be used by those in specialist roles.
Unauthorized users that play with security tools such as Wireshark or Kali Linux may have no idea of the damage they could cause to an organization, says Paul Baird, CTSO UK at Qualys. “While the tools are legal, unauthorized use is not. Users could use the tools to eavesdrop on a corporate network, which is particularly harmful if they were a disgruntled employee or inside threat.”
In addition, employees using these tools for fun will likely never have heard of bad actors living off the land, and unauthorized use of these tools can make the job of a bad actor far easier as you’ve essentially given them the tools they need to hack an organization from within, Baird adds. “For example, within Kali Linux, there are hundreds of DDoS tools that have the potential to disrupt the entire corporate network. Particularly given that most DDoS protection layers sit on the perimeter of the network, any DDoS from within is likely to be missed by scanning tools and therefore cannot prevent exploitation.”
4. Third-party app plugins
Third-party app plugins designed to add functionality to even verified apps have the potential to greatly threaten the data of organizations. According to the Netskope report cited earlier, 97% of Google Workspace users have authorized at least one third-party app access to their corporate Google account, potentially exploiting data to third parties due to scopes like view and manage files within a Google Drive.
Ray Canzanese, director of Netskope Threat Labs, tells CSO that app plugins can provide third parties persistent access to data. “For example, the CamScanner app plugin can access all of your documents in Google Drive. CamScanner was found to contain malware and was banned by the Indian government. In other words, third-party app plugins may provide a valid service, but the organizations operating the apps may not be trustworthy enough to handle sensitive data.”
Attackers have also discovered that gaining access to a Google account that controls the mobile device via the App Store/Play Store is much more effective than trying to find vulnerabilities and develop exploits for mobile, which is labor- and time-intensive, says Grunden. Such access provides the keys to the kingdom: confidential data, credit card information, and more. An attacker with a compromised account can access backups and recover data belonging to all apps on a mobile device, including messages, contacts, and call logs, he adds. “If someone steals these accounts, they can permanently track a device and remotely control several key actions (such as making unauthorized purchases or installing malicious apps), causing further damage.”
5. Gaming apps
Corporate devices and networks are not made available to support game playing, whether it’s during work hours or outside, but some try regardless. While this represents a gross misuse of company property and unnecessary expenditure, the security concerns of using corporate devices to install and play gaming software are even worse. “The Steam client, for example, is equivalent to opening a can of worms if installed on any device that has access to the corporate network,” Baird warns. “The sheer quantity of games that can be installed using Steam makes it very difficult for security to maintain visibility of what is on the network and respond accordingly. Any unauthorized software would then fall out of the security team’s patch management process, so gaps could be left open to exploit.” He points to an example from last year when researchers found four vulnerabilities within Valve, Steam’s developer, allowing hackers to take over the third-party service to execute arbitrary code and steal credentials.
“The most dangerous gaming app in my opinion as a CISO is 9Game.com, a portal for downloading free Android games,” adds Grunden. “I have seen more malicious apps come out of this mobile app store than any other over the past couple of years.”
Reducing the risks of unsanctioned mobile apps
When it comes to addressing the risks posed by unsolicited applications on corporate devices by stopping people from installing unapproved software, experts agree that a combination of policy and education is required. “The CISO needs to ensure that their security team is up to speed with the risks posed by unsanctioned applications and that they are adhering to the prescribed rules, as per company policy. This helps to support the drive to monitor and manage the usage across the rest of the staff,” says Holland.
From there, Holland advocates device/app whitelisting to allow only certain executable and associated files to run. “This would mean that any application that was not approved would be stopped before it could be run. This would also help with a malware infested copy of a legitimate application as the executable would be different, usually picked up by the MD5 hash being different. This option can be quite labor intensive to setup and manage but is often worth the effort.”
Tuner adds that such policies can be enforced through endpoint management solutions by instituting an approval flow for unsanctioned apps and remediation of existing unapproved unsanctioned apps.