Veracode recently released analytics from its cloud-based platform showing that, based on the mobile applications it assessed, the average global enterprise has approximately 2,400 unsafe applications installed in its mobile environment.
Based on an analysis of hundreds of thousands of mobile applications installed in actual corporate environments – across various industries including financial services, media, manufacturing and telecommunications – Veracode found 14,000 unsafe applications of which:
* 85 percent expose sensitive device data, including SIM card information such as phone location, call history, phone contacts, SMS message logs, device IDs and carrier information.
* 37 percent perform suspicious security actions, such as checking to see if the device is rooted or jail-broken (which allows applications to perform superuser actions such as recording conversations, disabling anti-malware, replacing firmware or viewing cached credentials such as banking passwords); installing or uninstalling applications; recording phone calls; or running other programs.
* 35 percent retrieve or share personal information about the user such as browser history and calendars, often sending sensitive information to suspicious overseas locations and allowing attackers to develop a complete profile of users and their social connections.
“Many mobile apps are unsafe because they unknowingly access insecure third-party libraries and frameworks in the software supply chain – while other apps have been specifically designed to perform malicious actions,” said Chris Wysopal, Veracode co-founder, CISO and CTO.
According to Gartner, “Through 2015, more than 75 percent of mobile applications will fail basic security tests.” At the same time, cyber criminals and nation-states are constantly looking to exploit insecure applications in order to steal corporate intellectual property, track high-profile individuals or insert aggressive adware for monetary gain.
This creates a challenge for enterprises that want to increase productivity and employee satisfaction by providing BYOD programs or corporate-owned devices. Modern MDM and enterprise mobility management (EMM) systems are designed to enforce corporate policies on managed devices, but need an automated and scalable mechanism for maintaining up-to-date information about thousands of unsafe apps that are constantly being added to public app stores around the world.
Existing approaches for addressing unsafe mobile apps, such as manually-curated blacklists, are difficult to scale because of the sheer size and constantly-changing nature of the problem. As a result, they either fail to keep up with mobile threats or frustrate employees by prohibiting apps for no reason.