If your company has a BYOD policy, it can be extremely difficult to manage the apps that are installed and used on users’ own devices that are used for work. These apps can often help improve productivity and collaboration, but they can also introduce many new security risks.
User installed apps have a couple of main drawbacks. One is that employees are likely to download popular apps that are used by millions of other users. This makes them an attractive target for hackers, purely because of the potential impact that a successful attack could have. These apps are usually easy to use and make sharing information simple, making them attractive for users, but are also typically less secure than enterprise-level apps.
Installation of non-approved apps on mobile devices that may be used for work falls under the category of shadow IT – software that is installed without approval of the company IT team and can introduce many security risks. The ease of sharing data and information that many of these apps allow also makes them high risk for security breaches.
What Makes an App Risky?
There are various factors meaning an app could be considered a risk to your personal or corporate security.
Poorly implemented OAuth 2.0 authentication (the technology that allows you to log into an app via your Google or Facebook account) can introduce many security flaws as apps using this type of authentication are granted access permissions to user account actions and data on install.
This can be particularly risky if an app is granted permissions for a corporate G Suite account, for example. It means that the app has access to confidential files and data, and even can send email on behalf of a user.
Many apps ask for excessive permissions that are not required for the functionality of the app, and this should be a red flag during installation.
Popular apps may be also considered risky. This may not be because they have any particular security flaws, but rather the fact that so many people use them. This makes them a prime target for hackers.
If you think you’re careful about the apps you install and you can detect a risky app before downloading it, you may be surprised. Many of the riskiest apps around today are also the most commonly found on mobile devices – you probably have most of them installed yourself.
1. Clash Royale
If Clash Royale made it onto your download list in 2016, you’re not alone. The game was named the best iPhone game of 2016 by Apple and quickly moved up the charts soon after its release, becoming number one in both the top downloads and top grossing chart.
However, Clash Royale, also had the more dubious title of being one of the riskiest apps of 2016. This app is classed as high risk due to the very high number of downloads, rather than any inherent security risks within the app. This makes it a prime target for hackers and means that millions of users could be affected in the event of a data breach.
WhatsApp takes the top place as one of the apps most commonly banned by organizations.
WhatsApp has been criticized for using insecure security protocols and encryption, particularly the way it handles SSL. This could potentially allow a hacker to break the connection, downgrade the encryption, and gain access to messages and other information that is sent through the app.
Essentially WhatsApp was never designed to be a secure messaging app and is designed for casual, personal use, not for use in enterprises.
Nevertheless, many employees do use it for communication including talking about work and sending sensitive corporate files. Companies need to impress upon their employees that this practice is not secure, and company-approved messaging apps with enterprise-level security should be used instead.
A 2015 malware attack targeting users in Singapore also used a fake update of the app to inject the malware onto the users’ smartphones. There is certainly potential for a similar attack to affect more users in the future.
3. Pokemon Go
Pokemon Go exploded worldwide in 2016 as one of the fastest growing apps of all time and brought with it a whole host of security concerns for businesses and individuals alike.
One of the biggest risks with this app initially is that it was rolled out to different countries slowly, meaning it was only available to a limited number of users at first. However the hype surrounding its release convinced many individuals to download the app from unofficial app stores, putting them at risk of installing compromised apps infected with malware.
Even for those with the official app, privacy quickly became a concern after questions were raised over why the game requested full Google account access to run. This included the ability to read all emails, send emails as you, and access and delete all Google Drive documents.
This was changed in a later update of the game, however the app still has access to geolocation services, meaning it knows where you are at all times. If a data breach of user data including location information ever occurred, the consequences could be catastrophic.
Pinterest has been a popular social networking app for several years now, allowing users to share images in a virtual pinboard. Companies have also cottoned onto the marketing potential of Pinterest and many now use it as part of their overall online marketing strategy.
However there are some privacy concerns and security risks associated with Pinterest that organizations should be aware of. These include:
- Impersonation of brands
- Account hijacking (Pinterest is more vulnerable to this as it does not offer the same level of account protection as other popular social networks)
- Viruses embedded in image files
- Scam pins that could link to malware.
This photo-sharing social network app was one of the most downloaded apps of 2016 but there have been concerns raised over its security.
In late 2015 a researcher found a number of security flaws, which could have allowed hackers access to any Instagram user’s account. Instagram also lacks two-factor authentication and other advanced security controls, and had weak password requirements, making accounts vulnerable to attack.
While many of these security issues have since been fixed, more flaws continue to be found. Due to its popularity, it’s likely Instagram could be a hacker target for some time to come.
Snapchat is well known as a social messaging app and most famous for its humorous facial photo filters, but some brands have also started to use it for marketing purposes. It was also one of the most popular apps of 2016, accruing over 54 million downloads only halfway through the year.
Several vulnerabilities have been discovered in Snapchat since it’s original launch, including a data breach of over 4.5 million users personal details. Although security has improved greatly over the years, many critics still have serious concerns around privacy and use of data collected by the app.
Facebook began encouraging users to send messages through this separate messaging app in 2014, eventually removing the chat feature from the Facebook app entirely. This coupled with the advanced features of Messenger such as video calling means it quickly became one of the most downloaded apps of 2016.
However concerns were raised from the start over privacy, mainly due to the lengthy list of permissions that the app requires to run. While a lot of these concerns may have been overblown, the app poses similar security risks to other messaging services such as WhatsApp, in that it not designed as a secure messaging platform for use in a corporate setting.
Streaming music app Pandora has been around for several years and has been the subject of many security concerns and data breaches during this time.
However the issues continue to occur and some users were advised to change their passwords in 2016 due to a data breach in a different service, which shared many of the same users.
This is a prime example of how easily apps can be insecure as lack of tight security controls makes it easy to use the same username and password across several services, putting many different accounts at risk.
Taxi app, Uber, was investigated in 2016 and several security flaws were discovered which could give hackers access to driver and passenger details.
One of the most worrying pieces of data uncovered was the full path of all driver’s trips, alongside other information such as personal data and cost.
Uber was also the target of a large data breach in 2015 that affected thousands of user accounts including customer credit card data and personal details.
Youtube is now so ubiquitous that the app is installed as standard on many mobile devices. However it is also a popular method for malware attacks – adverts placed on videos may direct users to malicious sites that encourage downloads of software. One of the most common methods of doing this is to put a fake video of a popular tv show or movie on youtube with a link to software that promises to allow you to download the real thing.
Youtube may also pose a privacy risk as it is linked to your Google account and keeps a record of all videos viewed under your account.
Even the biggest and most popular apps can pose a security threat to individuals and organizations, and in many cases these very popular apps are among some of the riskiest.
It is not always practical to avoid installing these apps completely, but there are some steps you can take to improve security, particularly if you have an issue with employees installing non-approved apps on devices that are used for work.
The 3rd-party apps audit, provided as part of the cybersecurity service from Spinbackup, allows administrators to view the assigned by Spinbackup machine algorithm potential risk level of apps that have access to corporate accounts, revoke access, and even delete apps from employees’ devices if necessary.
440 total views, 19 views today