Measuring Security Risk in Mobile Apps

The earliest computer security rule that most of us remember was to never, everdownload software from an unknown floppy disk. Companies went to great lengths back in the 1990’s, for example, to inform their employee base of the serious risks that can emerge if you slide an unmarked floppy into your PC. Given this early emphasis, it is hard to explain why so many current mobile users, even ones employed in critical infrastructure settings, think absolutely nothing of downloading unknown software from an app store. They blindly click on something that looks interesting with little or no concern to the risk that might be introduced by such download. It therefore seems obvious that security measures and risk reduction measures will be needed in the coming years to rectify this trust issue for mobile apps. I recently had the opportunity to compare notes with my good friend Paul Stich, CEO of Appthority, to try to understand this issue more thoroughly.

EA: Paul, I’m sure you’ve heard this question many times, but should people trust the apps they download to their mobile devices from popular app stores?

PS: No, they should not blindly trust downloaded apps. And this is tough, because we all know that apps are the new form of software consumption. In the past, users would purchase or subscribe to software at the point of download or sale. The developer would get financial compensation directly from the end-user who purchased the software. In the new app-centric model, however, most apps are downloaded for free, yet developers are still expected to produce a great product, provide updates and additional content, and provide support – all for free. Users have to ask themselves where the catch in all this might be. Because developers are not being compensated for their work, they are incentivized to harvest user data and then sell that data to data brokers, advertising networks, and other third parties. Thus, for the most part, when an app is free, your personal data is the product.

EA: Do you see differences in the way Apple and Google review, and then approve or disapprove, mobile apps in their respective stores?

PS: In the past, there was a more stark difference between the app review processes at Apple and Google. Apple relied mostly on human review with very long review cycles and paid close attention to adherence of the App Store’s terms, conditions, copyright issues, and app functionality. Google, in contrast, relied mostly on very brief automated app analysis, and focused on identifying malware and other malicious app activity. Apple has since shortened their app review process, likely through automation, and Google has added human review of copyright concerns and potential violations of Google Play’s terms and conditions. Nevertheless, Apple still takes longer to review and approve apps, and still has a much higher bar in terms of acceptance criteria. For the most part, both do an adequate job of preventing malware from entering the store. Apple does a better job of preventing cloned or fake apps from entering their store, but neither does a good job of preventing apps that, while okay for personal use, are often deemed too risky for enterprise use. This is because so many apps are riddled with code level vulnerabilities, thus demonstrating data leaking behaviors, which are designed to harvest and share user data.

EA: Are companies experiencing significant mobile app breaches?

PS: For the most part, companies are not even monitoring their mobile devices, so they are not detecting mobile breaches. MobileIron, for example, disclosed that less than 5% of their customers have an anti-malware solution installed on their mobile devices. It’s safe to say that all companies are experiencing minor mobile breaches, like apps stealing address books, calendars, and other device information which contains sensitive corporate data. However, a major mobile app breach has not yet been disclosed. For now, it can be seen as “death by a thousand data leaks”. Keep in mind that each small data leak, even when it is a leak of personal data, can, in the future, enable a much larger non-mobile hack in the way of a targeted phishing attack, for example.

EA: What techniques have companies used in the past to evaluate software security? Do these still apply in the mobile context?

PS: In the past, companies built and managed whitelists and blacklists to determine what software was acceptable for use within corporate environments. Although some companies have tried to replicate this model in mobile, they’ve quickly realized that it simply does not scale in the mobile context. There are millions of apps out there, and they are versioning so quickly – sometimes more than 10 times per year – that building and managing a whitelist manually is impossible. Automation is key to not only quickly analyzing the apps (as opposed to long pen-testing approaches of the past), but also to automatically remediating against non-compliant apps and devices. Rather than blacklisting apps, for example, many enterprises are now focusing on blacklisting certain risky app behaviors.

EA: How hard is it to review an application to quantify the risk? Do you observe its behavior or do you review the binaries?

PS: Traditional software security analysis usually required access to source code. But source code is not available for public apps on employee devices. Traditional analysis also often involved long drawn out penetration testing processes, where a researcher would try to find weaknesses in software by running different commands and testing the software through different scenarios. In the mobile world, however, customers need to identify app risk as quickly as possible, given that employees are downloading new apps, or new versions, every day. Because of the high number of third party software like SDKs and libraries being used in apps, relying heavily on static analysis of the app binaries can also lead to a lot of false positives. Thus, it is essential to leverage dynamic analysis, as we do at Appthority, to see how apps really behave at run time. Using an instrumented sandbox, analysis engines are able to track app behaviors and create an adequate risk profile of each app version.

EA: When you perform these reviews, what models are you using to establish risk? Do you fold real-time risk intelligence into the analysis?

PS: Our research team monitors the threat landscape for new types of attack vectors or new evasion techniques by malware families. The team then writes rules for our analysis engines to execute during run time app analysis. From there, our engines look for these risky behaviors at scale across millions of apps to identify the prevalence of these app behaviors, as well as identify patterns that could indicate combinations of behaviors that form a behavioral signature for emerging threats. Because the analysis engines monitor behaviors at run time, there is real-time intelligence on not only how the app behaves, but also where the app is communicating. A real time URL/IP threat intelligence feed is then overlaid with the analysis results to see if additional threats are identified.

EA: Have there been some spectacular finds that you’ve seen in your years now at Appthority? Maybe you found some app that had a ridiculously dangerous Trojan?

PS: We’ve seen a lot of dangerous Trojans in the wild, mostly on third party app stores. In these cases, malicious actors inject malware into an otherwise good app and release it to unsuspecting users. However, one of the most notable Trojans was a phishing attack in the official Apple App Store. In this case, the developer of a legitimate app accidentally used a contaminated third party SDK that included malicious code to prompt users to enter their Apple ID, only to intercept it and later use it to attack users, often with ransomware.

EA: Paul, you’re an industry veteran in cybersecurity. What changes have you seen in the past few years on both the offensive and defensive sides?

PS: There are over 1.5 million cyber security job openings just in the United States alone. With the huge shortage of qualified IT and security professionals within the workplace, corporations continue to struggle, not only with getting increased budgets to purchase security solutions, but also with finding competent staff to manage and use all of these tools and services. As a result, there has been a big push for automation of tools and services that can run on their own and make the IT and security teams more productive.