There’s a hidden challenge enterprises face when securing mobile devices: some apps that are legitimate and useful in a personal context may introduce a major risk for an enterprise.
While it may not be immediately evident, there are in fact two different categories of harmful applications to an enterprise: malicious apps and risky apps.
As the person responsible for securing mobile devices in your enterprise, you must focus on those apps that intend to do harm, but not forget those that may not be intentionally harmful, but still introduce risk. What’s the difference?
Malicious apps set out to harm a device or the data on the device. They often steal user data, commit financial fraud, negatively impact device performance, and more. Whether or not it is actually able to execute its malevolent aim, malicious apps are defined by their intent.
Take, for example, a piece of malware called BankMirage. The creators cloned an Israeli bank’s mobile app in an effort to trick victims into believing the app was real. After victims downloaded the app, it phished their banking login username.
AndroRATIntern is another example of a malicious app. This malware, in the form of an app called Android Analyzer, took advantage of the Android accessibility API in order to steal data specifically from a popular Japanese messaging platform.
Risky apps, on the other hand, are those apps that may not be a binary “good” or “bad,” but an enterprise may deem its activity risky due to its own risk tolerance.
For example, apps that collect location data may pose great risk to an enterprise or government organization deploying employees to sensitive locations.
Another example is a doctor working for a healthcare organization. She might store sensitive patient information in her phone’s contacts and will want to restrict apps that access contact information in order to retain HIPAA compliance.
We think Craig Shumard, the former CISO of Cigna (who is also a consultant for Lookout) puts it well, “If you’re an enterprise that supports BYOD, this kind of ‘annoying threat’ should sound alarms … The fact that contacts and personally identifiable information is taken puts your employees and your proprietary secrets, your competitive edge, at risk.”
Which apps an enterprise deems risky is highly dependent on the company’s industry vertical and the kinds of data mobile devices have access to. Progressive organizations are even adjusting risk level based on the individual employee. For example, a factory line worker or a software engineer may have a different risk level than the CFO and a blanket policy across the organization would be considered too restrictive.
You need to see both
IT departments should understand the nuances between malicious and risky apps and implement security technologies that provide visibility into and protection against both. You want to know and define what kinds of apps pose risk to your company and have a product that both gives you visibility into those apps as well as malicious apps it has already identified.
Want to continue learning about these nuances and more? Read our Why Mobile Security whitepaper.