Mobile devices have permeated our personal lives, and increasingly impact all types of enterprise. The information security industry is just beginning to catch up to the dramatic impact of mobile. We see mobile everywhere: you make payments with your mobile device, send email and chat messages, store photos and documents, and more. More than 60,000 mobile applications are added to the Apple App Store each month, and 179 billion apps downloaded through 2015. App use is increasing and so should security. Since inception, NowSecure has focused entirely on mobile, and I would like to share five key challenges facing mobile enterprise security:
You can’t manage risk you can’t see. I say all the time that your phone is a citizen of the world. It talks to China, the U.S., Ireland and more, sending data to numerous countries hundreds of times a day. The average phone connects to about 160 unique servers every day, and all of these access points potentially compromise your enterprise. NowSecure application security analytics shows that 43 percent of Android devices allow installation of unverified apps, leading to potential password leaks, phishing attacks, or countless other vulnerabilities. Visibility into the health of employee-owned devices is essential to mitigating risk and increasing the overall health of your enterprise networks. Read more about how we give enterprises visibility into the security of devices connecting to corporate assets and help quantify that risk with NowSecure Protect.
2. Lack of Mobile App Security Testing
We tested over 400,000 apps and found a high percentage of apps containing significant privacy flaws and leaking sensitive data – we call them leaky apps. For example, 15% of all apps leak unencrypted sensitive data over networks. Our research further shows that 27 percent of apps have at least one high risk security or privacy flaw. Simply put, developers haven’t embraced security testing. Instead of learning from the past, we’re repeating history and ignoring security testing when building apps. NowSecure Lab Automated features automated static, dynamic and interactive security testing after each build by supporting continuous integration tools. Read more about how Lab Automated helps reduce security testing friction.
3. Vulnerabilities are Often Ignored, Patched Slowly, or Left Unpatched
The research community regularly identifies vulnerabilities in mobile operating systems such as iOS and Android. These vulnerabilities offer hackers opportunities to inflict serious damage on users for long lengths of time as users wait for manufacturers and carriers to push patches. For example, the TowelRoot vulnerability was announced in June of 2014. This vulnerability allows a hacker to potentially gain root access to a user’s device. While identified fairly quickly, we still see devices unpatched over a year later as they await updates. Our research team developed the open-source Vulnerability Test Suite (VTS) for Android to scan devices for more than twenty vulnerabilities. Download VTS for Android on Github.
I believe that security is a team sport. There’s an enormous power in crowdsourced data that can offer a broad view of what is happening across the mobile ecosystem. At present, NowSecure receives around 140 million data points from as many as 180 countries daily. How can this intelligence be useful? The data offers insights on mobile security in specific regions around the globe. According to our data, 79 percent of iOS devices have been updated to iOS 9. For Android, only 25 percent of devices are running 5.1.1 or better. Identifying users with outdated versions of an operating system, and vulnerable apps on those devices, is key to securing your data. Take a look at visualized data from NowSecure Intelligence or use our API to roll the data into your own applications.
5. Lack of Preparedness for Mobile Incident Response
No matter how much people invest in security, unexpected things are going to happen. Failures, data loss, suspected malware and other incidents will occur. IT leaders need to be prepared for the inevitable – and you don’t need to search far to see companies that paid dearly when they weren’t ready. Developing a mobile incident response capability can save enterprises a lot of pain and expense down the road. I’ll provide a number of mobile incident response best practices during my talk “The Incident Response Playbook for Android and iOS” at the RSA Conference 2016. If you can’t make it, register for our “Preparing for the inevitable: The mobile incident response playbook” webinar on March 8, 2016.”