The BYOD Trojan Horse: Dangerous Mobile App Behaviors & Back-Door Security Risks

Introduction

In the aftermath of the Sony hacker incident, IT Security once again is in the spotlight. Connected organizations are being especially vigilant against malicious players seeking to gain entrance into their networks and do harm.

With the rapid infusion of mobile devices within the enterprise and the growing adoption of Bring Your Own Device (BYOD) – mobility is also fast becoming another focal point for containing security risk. Shoring up networks to defend against mobile hacker threats is certainly a high IT priority. But what about less obvious risks posed by mobile devices and the apps running on them?

Consider a seemingly innocuous mobile phone flashlight app. Recently a Federal Trade Commission lawsuit revealed that a flashlight app maker was illegally transmitting users’ precise locations and unique device identifiers to third parties, including advertising networks.

Or consider the Environmental Protection Agency’s (EPA) embarrassment occurring recently when an employee playing on a Kim Kardashian Hollywood” app tweeted out to the EPA’s 52,000 Twitter followers, “I’m now a C-List celebrity in Kim Kardashian: Hollywood. Come join me and become famous too by playing on iPhone!” What happened? The employee was using the app on her BYOD device. Unbeknownst to the employee, the app had the ability to automatically access the phone’s twitter account and tweet out messages when certain game thresholds were reached. Unfortunately for the EPA – the BYOD device was connected to the EPA’s official twitter account – not the employee’s.

What’s the lesson here? Mobile app security risk is not limited to malevolent hackers and unfriendly governments. Threats to corporate data and reputation can be hidden – like a trapdoor in a Trojan horse – in the most seemingly innocuous apps, and can be unleashed on the organization by the most well-intentioned employee.

Because of these hidden risks, we wanted to understand whether enterprises are aware of the risky behaviors associated with mobile apps that could compromise data security, and if so, what they’re doing about it.

Rapid Adoption of Enterprise Mobility Continues

According to our survey, enterprises are rapidly implementing the policies and infrastructure necessary to support broad employee access to mobile devices and applications. For instance, 29 percent of respondents have already implemented a mobile device management solution, 20 percent are doing so now, and another 27 percent plan on doing so within two years. 17 percent of respondents have already implemented a mobile application management solution, 15 percent are doing so now, and another 32 percent plan on doing so within two years.

From a security perspective, BYOD policy implementation is an essential counterpart to mobility adoption. According to the survey, 28 percent of respondents have already implemented a BYOD policy, 20 percent are doing so now, and another 23 person plan on doing so within two years.

Data Security Biggest Challenge When Implementing BYOD Policies

The BYOD policy memorializes an organization’s approach to mobility, and among other things, the rules employees must follow in order to access corporate data and systems from their mobile devices. According to the survey, organizations face a variety of challenges around BYOD policy implementation.

Not surprisingly the largest percentage of respondents – 71 percent – say ensuring data security is one of the biggest challenges they face around implementing BYOD policies. 43 percent say creating and enforcing the BYOD policy counts among their biggest challenges, and another 43 percent say software license tracking, management and optimization of mobile devices are significant challenges.