While mobile device management (MDM) helps organizations configure devices and enforce policy, MDM alone won’t protect your organization from third-party and supply chain mobile app risk. How do you know which mobile apps are safe to use?
Whether government agencies and enterprises provide enterprise-owned mobile devices to staff, enable corporate-owned, personally enabled (COPE) programs or support bring-your-own-device (BYOD) usage, users expect to be able to access thousands of mobile apps for work and play. Mobile administrators and application security teams often find themselves struggling to evaluate a backlog of mobile apps requested by workers, managers and leaders. They test these mobile apps where they can, but cannot stem the tide and risky mobile apps often land on these devices unbeknownst to the organization.
The NowSecure Enterprise Mobile App Risk Management Service can give organizations peace of mind by filling the mobile app security gap not covered by MDM. Offloading the chore of vetting thousands of third-party and supply chain mobile apps for security vulnerabilities and privacy flaws frees agencies to focus on work that advances their mission.
A Comprehensive View
The NowSecure Mobile App Risk Management Service takes a systematic approach of periodic automated risk assessments with in-depth security analysis of all Android and iOS mobile apps installed on mobile devices connected to the organization. Covering anywhere from 100 to 10,000 to 100,000 mobile apps or more, the service delivers a comprehensive view of mobile app risk along with concrete, actionable recommendations for remediation.
Working with your organization, NowSecure security analysts tap a decade of expert mobile app pen testing and forensics services in combination with our automated security testing software to assess millions of mobile apps at scale. Using the mobile app inventory provided by your mobile team (such as via an MDM/MAM app inventory report), the NowSecure automated analysis engine performs static, dynamic and behavioral mobile appsec testing on real devices for all apps found on enterprise-connected devices.
Each mobile app is automatically tested and scored, with vulnerabilities assigned a risk category of high, moderate, caution or low risk based on the Common Vulnerability Scoring System (CVSS) and a proprietary weighted scoring algorithm. NowSecure then automatically computes a single overall Enterprise Security Score tailored to your organization’s security policies. The score offers an enterprise-wide view of risk across your entire app portfolio.
Organizations that engage with NowSecure for the Mobile App Risk Assessment Service will receive a series of quarterly analysis and reports that include the following information necessary to understand, track and improve their overall mobile app risk profile:
- Executive Summary
- Assessment Methodology
- Findings Summary
- Server Location Data
- Specific Apps of Interest
- Recommendations
Reporting the Results
As shown above, the executive summary features the overall Enterprise Security Score and an overview of the mobile apps analyzed broken down by percentages for each risk category. This powerful, single score gives executive management and security teams a simple way to understand their current security posture and a scoring mechanism to track their improvement over time.
On an overall risk range of 0-100, apps scoring lower than 60 present a high degree of risk and strong consideration to not use; apps in the 60-80 range require caution; and those scoring 80 or above are deemed low risk.
The detailed risk assessment methodology describes the scoring criteria and methods used to conduct the analysis and score the mobile apps. As shown in the pie charts below, the distribution of risk rating by install count and by unique apps is shown by risk type (severe, caution, moderate, low).
A risk findings summary highlights critical or high findings with a description and accompanying CVSS scores, the total number of apps that have the finding, and the total number of installs of those apps along with app and package name to take action.
Data Transmission to Foreign & Risky Locations
Of particular interest to federal government agencies and enterprises alike is the destination of their data. Many organizations have policies that prohibit their data touching servers located in high-threat nations or areas at risk of cyberespionage such as China, Russia, North Korea and others.
Using dynamic analysis, a NowSecure mobile app assessment details the server locations (and IP addresses) in which mobile apps connect and attempts to identify the owner of the server as well as its location. Security teams can evaluate the location data to determine if it presents a risk to the organization.
Here’s a sample of that data:
Detailed Remediation Recommendations
The apps of critical interest section of the report offers a deeper review and vetting of up to 10 key mobile apps selected by the customer. These are typically the most important apps for day-to-day operations, whether they were developed internally or come from a third party.
And finally, NowSecure lists recommended apps to blacklist or take corrective action to improve the risk score. This typically includes apps with critical or high vulnerabilities.
Getting Started
The NowSecure Enterprise Risk Assessment Service is an annual program most effectively delivered quarterly to continuously reevaluate apps and associated risks. Get started today by speaking with our NowSecure expert security analyst team to discuss your mobile security policies and app vetting needs to determine which apps are safe for use by the organization. Schedule a meeting here.
