Since the advent of the iPhone, security teams have longed for mobile endpoint security that rivals antivirus and antimalware capabilities for PCs. Although Mobile Threat Defense (MTD) has captured attention from regulated industries and government, it doesn’t provide the price/performance value to justify investment. Mobile app vetting offers a stronger, cost-effective approach to managing mobile risk.
MTD solutions install agents on a mobile device and watch for unusual or malicious behavior at the device, user or app level. They alert users and the IT security team to take action and may offer additional features depending on the vendor. By contrast, mobile app vetting solutions run in the cloud to assess mobile apps for security, privacy and compliance issues by dynamically testing the binary on real iOS and Android mobile devices.
Examining MTD vs. mobile app vetting from the lens of risk helps guide strategic security investments. Are the highest frequency risks at the device, network or app layer? NowSecure has tested of tens of thousands of mobile apps in the Apple® App Store® and Google Play™ store across categories such as organization productivity, travel, hospitality, retail, social media, news, weather and the like, frequently finding a number of serious risk vectors. Based on our experience with clients, here is a sampling of some of the top six mobile risk vectors:
- 1. Many popular commercial mobile apps don’t properly validate hostname/certificate, opening risk of attacker redirecting traffic to a malicious endpoint enables attackers to phish users or harvest their credentials.
- 2. Many popular commercial mobile apps route data and traffic to foreign untrusted IP addresses.
- 3. Many popular commercial mobile apps broadcast a user’s country of origin location data, putting the user and device at risk in foreign lands.
- 4. Many popular commercial mobile apps transmit personal and/or organization information over HTTP, which is easily interceptable over the air.
- 5. Malicious Wi-Fi hotspots in airports and other locations frequented by organization and government employees that mimic official free Wi-Fi services with similar names.
- 6. Outdated Android devices running an old unpatched vulnerable versions of the mobile OS with an exploitable vulnerability.
Real-World Mobile App Risks
While the PC world is full of malware and viruses, Android and iOS are inherently more secure by design with app sandboxing and other built-in protections. Practicing proper mobile device hygiene and controls, only installing apps from official app stores, automating updates and deploying mobile device management configured to security policies provides nearly all of the protection most users need at a substantially lower cost than deploying MTD. In addition to the cost of the pricey software, MTD requires organizations to install agents on every device and carries a significant management and administrative burden. That price/performance value is questionable.
By comparison, mobile app vetting provides more in-depth coverage to mitigate risk. A typical enterprise with 10,000 mobile devices might have 12,000 unique different internal and third-party mobile apps and versions in their portfolio, creating some 12,000 points of risk. NowSecure analysis discovered that 85% of mobile apps fail one or more of the OWASP MASVS; 35% have unencrypted data transmission; and 50% of Android apps dynamically load code missed by static analysis. That means millions of risky mobile apps in the public domain are likely to be loaded on your users’ mobile devices.
Mobile app vetting that is centrally deployed and managed typically costs two times to five times less than MTD, plus eliminates the burden and complexity of managing MTD agents across all devices. As shown below, mobile app vetting protects the organization from more frequently occurring risks of insecure mobile apps at a better price/performance.
Analysis of MTD Performance on Common Mobile Risk Vectors
Find out how a mobile app vetting solution such as one from NowSecure can empower your organization with deep visibility into mobile app security and stop risky apps before they make it onto your enterprise devices. Get a demo to assess the risk level of your third-party mobile apps before incorporating them into your mobile program.